[Remops] Oops! Small problem!

Tue Nov 11 22:43:15 GMT 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jeremy,

>>I think installing
>>invalid certs on user's computers is a very, very bad idea. I'm glad
>>we're on the same page here.
>>
>>Unfortunately, the user cannot decide to accept the certs since they get
>>no chance to do that. But we have what we have. The problem is not
>>windows and not mixmaster. The problem is invalid certificates and if
>>anything is fixed, it should be that.
>
> I just want to point out that a self-signed certificate is not invalid
> per se. It is just not signed by a recognized X.509 certificate authority.
> In my case (and probably others), I've posted the certificate (signed
> by my admin key) on my web page. Users can download the certificate
> from the web page, confirm its validity with the signature, and add it to
> their certificate store.

Sometimes my lack of education gives me away. It seems that if I'm not
fumbling for the correct word, I'm just using the wrong one! I'm sure
you see that. You guys are extremely strong in your knowledge of
security. If I'm good at anything, I guess, it would be designing the
user interface. With the security aspect, I often need advice. My formal
education amounts to 2 quarters of pascal, at our community college, in
1987!

What you say makes sense.

> There are lots of arguments about the security of the CA system that
> is now in place to verify X.509 certificates. I won't repeat them here.
> I just want to emphasize that what I've described above is a very secure
> way to validate an X.509 certificate. It does require a bit of work
> on the part of the user.
>
> In my case, usage of a self-signed certificate stems from my feeling
> that an anonymity system should not have to depend on registration
> with a central authority for operation, and not on an inability to
> obtain a certificate from a CA (for whatever reason).

I tend to fall into the trap of thinking my own experience is the only
point of view there is. Please forgive me for that assumption. Your
explanation is very understandable. You have a great point.

Thanks,

Richard

-----BEGIN PGP SIGNATURE-----
Version: N/A

iQIcBAEBAgAGBQJUYpKJAAoJEJxtYUVddaeiIxQP/1+oayLmnBpMPHWYXxxV+/8f
BRRV1v7gR8SAzli3klpRdFdKLpE957wIiqQwgr6k8uXO8ye1UbQNFqSMfSqOJS2f
EbhcVxpigb8KqspnPlV6Dz2qelQHPFLevpjFnbV0yPMo5zhN6ivNnklCtm9v5KlN
iPV+hpMYIePh8kdGoHTp8w7klDT/nUmVqXHDljBTjo7ewHi3myd9izwFT8KFE1Jr
icT6DFyNmuZkp/cReVCQmHR93Ln/biD0u89tfZn8HYvuKpdALOU+Q9yGvojeoSIV
wsAKr5l39H//mGejNzVGkBkAD/bDA5NaaUcCf0sY3S4VKzN5pT4ACwXdx8ag6msu
JYI/581kV9sQWP7K/6Uknk3nGKJ6Svra+s4Odm07ydsP9t9HUlNxA0WPP460WcPN
m95HnN/frzfGVYSHidjqfP5AuytJPPrRkhFeYoehKXIanGVN6CBw/6mtmTIma93y
91NzpCMMXGFZsdHgkT04N/bACfqAJHQA8mBBS4KNkI0psrFn1q/H/rck0v4sk3z5
R9qzjwYnomP7pjcAizEQK1G6XGrUY47PDYkSlKmej8G9qoKryWgH4CnzFA+mGFaF
iuo+5IwwqgHu7NaJtHI2SOcjhnwyOfbE6Zq+c/LkdaAZzV0myitFIKHb5q+WB+90
nC4JpmI4+0DXpXZUcTMp
=bTXH
-----END PGP SIGNATURE-----