[Freedombox-discuss] Friendika
Boaz
alt.boaz at gmail.com
Wed Jul 13 17:54:45 UTC 2011
>WebID uses SSL, but as far as I understand it doesn't rely in any CA. The
>certificates can be self-signed and they will work the same. It uses the
>private key installed in your PC (which might not be very convenient) and
>checks if it belongs to the public key (which you have copied sometime before)
>returned by the FOAF file. If they match, your friends server can be sure that
>you are who you claim to be
>( http://www.w3.org/wiki/Foaf%2Bssl ). In this scheme it doesn't matter which
>the CA is.
Let's be clear: self-signed certificates provide no protection against
MITM attack. In other words, no assurance to your friends that you
"are who you claim to be" (unless you gave them your key fingerprint
on a slip of paper or something). That assurance is the service that
we supposedly get from certificate authorities.
Boaz
More information about the Freedombox-discuss
mailing list