Gmail and SSL

Keith Medcalf kmedcalf at
Sun Dec 30 22:27:35 UTC 2012

While i will agree that the client being able to validate the certificate directly is the best place to be, I do not see any advantage of requiring purchased certificates over self-signed certificates.  IMO it provides no realistic security benefit at all.

Then again I don't award points for 
certificate verification having anything to do with identity verification of the remote party.

In other words, if I didn't sign it then the certificate posseses no more validity than an ephemeral self-signed certificate.

Of course, others are free to delude  themselves with additional "theatrics" and false assumtions if they want to do so.

Sent from Samsung Mobile

-------- Original message --------
From: Christopher Morrow <morrowc.lists at> 
To: kmedcalf <kmedcalf at> 
Cc: mysidia at,nanog at 
Subject: Re: Gmail and SSL 

More information about the NANOG mailing list