dnssec-trigger + GNOME + NetworkManager integration

Matthew Miller mattdm at fedoraproject.org
Thu Jul 2 14:10:59 UTC 2015

On Thu, Jul 02, 2015 at 04:04:37PM +0200, drago01 wrote:
> > a self signed certificate is exactly as secure as a CA certificate you pay
> > for after there are hundrets and thousands by default trusted CA's in the
> > browsers with the only difference you have to accept it once
> No its not. Because everyone can issue them you can't really know
> whether it is from who it claims to be from ... even in case you can
> its in case an attacker gains access of it the issuer can't really
> revoke it anymore.

Harald's point is that the "trusted" CAs are so numerous and so out of
control that it's really hard to ascribe more trust to many of them
than to a self-signed cert, yet there's no warning for these. You could
theoretically inspect the cert manually and track down the issuer and
so on, but I don't think very many people at all really do that.

Matthew Miller
<mattdm at fedoraproject.org>
Fedora Project Leader

More information about the devel mailing list