On Thu, Jul 02, 2015 at 04:04:37PM +0200, drago01 wrote: > > a self signed certificate is exactly as secure as a CA certificate you pay > > for after there are hundrets and thousands by default trusted CA's in the > > browsers with the only difference you have to accept it once > No its not. Because everyone can issue them you can't really know > whether it is from who it claims to be from ... even in case you can > its in case an attacker gains access of it the issuer can't really > revoke it anymore. Harald's point is that the "trusted" CAs are so numerous and so out of control that it's really hard to ascribe more trust to many of them than to a self-signed cert, yet there's no warning for these. You could theoretically inspect the cert manually and track down the issuer and so on, but I don't think very many people at all really do that. -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
