On Mon, Jul 30, 2001 at 11:11:03PM -0500, Jon Schewe wrote: > So anyone can just make up a certificate and do ssl, just as long as anyone > going to the site trusts the unsigned certificate? > No, you have to have a signed certificate, you just don't have to have a cert signed by a certificate authority (e.g Verisign, Thawt, etc). It's perfectly fine for people to use a self-signed cert. The scary thing is when people just click through without reading about the cert. In fact, that's one of the reasons that PKI gets such a bad rap: It doesn't keep stupid people from hurting themselves. Gabe -- ------------------------------------------------------------------------ Gabe Turner gabe at msi.umn.edu SGI Origin Systems Administrator, University of Minnesota Supercomputing Institute for Digital Simulation and Advanced Computation www.msi.umn.edu ------------------------------------------------------------------------