| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1052604033.3620.14.camel@dogbert.localdomain> From: dantams at myrealbox.com (Daniel Tams) Subject: PGP vs. certificate from Verisign Yes, they still offer the free certificate. I have one myself. Here http://www.dallaway.com/acad/webstart/ is a writeup on how you can use that free certificate to even sign your Java apps. It is very annoying however that only very few developers properly sign their public keys/certtificates. Most just self-sign it. This is the case with X.509 as well as PGP. Whether you use PGP or X.509 you should always make sure it is signed by someone else, preferrably someone trusted, otherwise the whole idea goes down the sink as any script kiddie could create a public key/certificate with your name and e-mail address on it. The hard part is getting others to vouch for its authenticity. At some computer fairs you will find a booth where you can get your public PGP key signed by a trusted authority (at the CeBit it's c't magazine). - Daniel On Fri, 2003-05-09 at 23:48, Evans, TJ (BearingPoint) wrote: > At one time, i.e. - don't know if it still the case - Thawte would issue a > "personal cert" free. > > One advantage PGP has is the existing infrastructure for key distribution, > so that you do not necessarily need to have someone's public key (yet) in > order to encrypt to them or verify their signature. If they have pushed it > out to the publicly accessible key-servers you can get it as needed. But > again - it depends on what problem you are trying to solve and your > preferred method of doing so. > > > TJ
Powered by blists - more mailing lists