Re: Self-signed security certificates.. (oh, the evil)

---

• From: Roedy Green <look-on@xxxxxxxxxxxxxxxxxxxx>
• Date: Sat, 10 Sep 2005 03:24:54 GMT

---

On Sat, 10 Sep 2005 01:53:20 GMT, Andrew Thompson
<SeeMySites@xxxxxxxxxxx> wrote or quoted :

>Most specifically, can anybody here attest that they
>*paid* for a code signing certificate before they had
>seen it work for a project?

Think "What is a certificate from Thawte for?". They are helping
someone determine if a program they found on the net was indeed truly
written by Canadian Mind Products, all without checking back to the
CMP website.

Thawte vouches : yes it was him. They are also indirectly vouching
that Roedy Green and Canadian Mind Products really exist . CMP is a
real company. They are in the phone book. Roedy has a passport. They
are also vouching that CMP is flush enough to part with $400 US a year
for the cert, no little fly by night. :-)

Let us say I am too cheap or poor to buy a cert and use a self signed
one. Well, it is obvious that whomever created the cert is the
person who created the CMP website. People trust whomever runs that
website just as much as they trust the company Canadian Mind Products.

So there really should not be an issue of trusting the identity of
that cert ON MY WEBSITE. Now elsewhere, there is nothing to stop
someone form taking one of my downloads, screwing with the code, and
resigning with a fake certificate using my name.

The problem is people don't realize this and are overly afraid of my
phony cert on my website.

I have been creating ASP PAD XML file descriptors for all my code
which invites people to download and redistribute my downloads.
Ideally I would like to sign those with a real certificate.

--
Canadian Mind Products, Roedy Green.
http://mindprod.com Again taking new Java programming contracts.
.

---

• Follow-Ups:
  • Re: Self-signed security certificates.. (oh, the evil)
    • From: Andrew Thompson

• References:
  • Self-signed security certificates.. (oh, the evil)
    • From: Andrew Thompson

• Prev by Date: Re: Self-signed security certificates.. (oh, the evil)
• Next by Date: Re: moving from J2SE to the J2EE world? how?
• Previous by thread: Re: Self-signed security certificates.. (oh, the evil)
• Next by thread: Re: Self-signed security certificates.. (oh, the evil)
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Multiple Certificates On SBS ... The default website/directory security/view cert in IIS shows a cert ... When we run CEICW (server Management console -> Configuration ... certificate created that is located in default website. ... (microsoft.public.windows.server.sbs) Re: Trust a cert and cert purpose ... > Is there anyway that I can bypass the security alert and go to the website ... This Security Certificate Was Issued by a Company that You ... > CA created by myself (through MS Cert Server). ... (microsoft.public.inetserver.iis.security) Re: SBS 2003 certificate problem affecting Exchange ... There was internet website except for the ... Email has worked fine, even OWA, as ... certificate errors. ... so tomorrow I'll try to create a cert issued to ... (microsoft.public.exchange.admin) How to 2003 Certificate for SSL on IIS website??? ... I figured out how to get Cert Svcs going and create a cert for the DNS ... FQDN for the server and enable SSL on the website. ... Under Secure Communications clicked Server Certificate button to get ... (microsoft.public.windows.server.security) Re: ADFS Token-signing Certs Not in Trusted Root Store ... This is good info, Joe. ... So now I know that the token-signing certificate is ... Get a signing cert from a CA ... case, you never have to worry about expiration or CRL checking, as your cert ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)