[jdev] Re: TLS and self-signed certs
Justin Karneges
justin-keyword-jabber.093179 at affinix.com
Thu Nov 11 19:17:10 CST 2004
On Thursday 11 November 2004 04:53 pm, Peter Saint-Andre wrote:
> In article
> <8CDC3525190B624F8F740435C7B9A01D59A2 at heineken.winfessor.com>,
>
> "JD Conley" <jconley at winfessor.com> wrote:
> > Allowing self signed (or otherwise untrusted) certs with STARTTLS +
> > EXTERNAL is opening yourself up for a serious security breach.
>
> Well, that's another story. But that claim on the URL I provided was
> that it is technically impossible, not inadvisable from a security
> standpoint.
Ah, right, this is certainly technically possible. People use self-signed or
otherwise unverified certificates all the time. I don't think there'd be
anything technically wrong with this. Even providing no cert at all should
be fine.
-Justin
More information about the JDev
mailing list