[Info-vax] [OT] Zero trust software, was: Re: Rethinking DECNET ?
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Sep 3 10:36:11 EDT 2014
On 2014-09-03 01:23:33 +0000, JF Mezei said:
> With self signed certificate, there is no way to check authenticity of
> the certificate, so you could be an imposter maskarading as someone
> else.
Using self-signed certificates can be very useful, and can be entirely
secure. So yes, there is a way to use self-signed certificates here.
In particular, various entities already maintain their own
certificate-signing chains.
Once the necessary private root certificate public key is loaded into
the client and only loaded using some trusted means, this all works
nicely, and securely, and just like commercially-purchased certificates.
This allows using a privately-signed certificate chain for maintaining
security with their own clients, and with affiliated clients, too.
I have code posted that does this for OpenVMS, including a DCL
demonstration of a VMS root certificate and certificate-signing, as was
referenced in an earlier reply.
Those purchased certificates? You're buying the key distribution path;
that the root certificate public key is already loaded into the clients
you'll be working with.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list