Hacker News new | past | comments | ask | show | jobs | submit login

Assuming you understand the structural difference between a self signed and a CA signed certificate (ie: subject pubkey sig vs issuer pubkey sig respectively) the difference is clear.

You cannot determine provenance of a self-signed certificate. The sig matches the subject. With a CA signed, the hold of the CA private key is the only source (with high probability), so it is attributable.

If you trust the company or not -- play with you trust store. Otherwise this is apples and oranges.

The only time when this comparison would be apt would be the compromise of the Comodo Private Key. This would allow anyone to issue Comodo certificates, thus removing their provenance. Of course then their cert would be revoked and we wouldn't have this conversation.




You cannot determine providence of a self-signed certificate.

Exactly, though I think you meant "provenance". It's exactly like how we now know we can't determine the provenance of a Comodo certificate, agreed?


No.

I think I understand why you are not following what I am saying.

You prove that the certificate came from comodo, and only comodo. It can't have come from anyone else. This isnt trust -- its public key crypto. Only the issuer could sign it. If you trust it or not, its irrelevant, only that it could only have possibly originated from there.

If you believe that the public key is truly owned by the subject because the issuer said so -- this is trust.


OK, but that's only helpful here in the sense that I could remove Comodo from my trust store, but nobody's going to do that. Not even me, and I'm the one complaining about this. What I can't do is have any confidence in the provenance of a CSR they signed: did it actually come from the organization that controls that domain? (That was what I meant by "provenance")


US english term, ill correct it




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: