-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Just my humble opinion:
We had ran a self-signed CA several years.
I would claim, that in theory this is more secure than using pre-installed third party CAs. Using a self-signed cert per server might do for small numers as well. However, when it comes to user divergence (or users coming from a wide range of knowledge and a wide range of devices come into play), roll your own is nightmare of support. As stated by others, some clients (Web browser, systems, mail clients, ...) make it hard to install own certs, Android even claims that the network (all of it from the interpretation of users) becomes insecure, once you install your own root cert. It looks like that more and more clients warns *each* time you access a server with a self-signed cert.
In the end, the gain of security (identify servers) was torpedoed by support and lack of understanding *and* will, even including poeple one might think they understand the need of extra steps in favour of security.
IMHO, the cert hierarchie today exclude eavesdropping by normal attackers, but is not suitable to identify servers or clients, because you (aka I) cannot trust the pre-installed trusted CAs.
If your set of users and devices is small enough, you can prepare all devices or offer an installation packet (for home users with a fixed set of clients), roll your own CA is easy and I would go this way. Alas, clients *should* mark personally trusted CAs differently than vendor-trusted ones. So users can see, if they speak with the correct server or if the server just looks alike, e.g. example.com vs. exampel.com .
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWY1RBHz1H7kL/d9rAQJQdAf/WgD+230Fon0rlXHeTsaQ2fZnn55yA+Eb 6K8RxEJ3y1EK6kgVAlAICxU92ft8smjQZGUU4vhWv/fLnXUErSaptOnXu3Nk7io2 5LqEwv+jmcLWthqxkSY2NJw3kzaNTYLcuQ8cXAVHuzwQlJO4x0MAq1WR4kVQtQh6 cP/EinFxhWjyqQElSJ7ph3EYR/UJVTx1HVFS6bBiA+vY9s07EH64SRomOSwVC3ng ryQZrwc2+5u+9hFfOnuGnBqj76szjhqPpa2PV7fQx8cFuJpJrctVxT+zbLf2sJpF 2XDzygpEiEbQuMe1st6ugOey9N+pdRWstsouVBbUAZ3L5PckmUYYVQ== =X902 -----END PGP SIGNATURE-----