Identity or Encryption?
If you've ever set up an encrypted server, the first thing you probably did was test it with a self-signed certificate. If you use a web server with a self-signed certificate for HTTPS, your browser will give you a scary warning. At first glance, this seems wrong-especially since the browser doesn't give you a warning when you go to a site that isn't using encryption at all.
The reason is quite simple. Encryption and identity are very closely related. Imagine that you have two teletype machines connected to each other by a completely secure link. Anything typed on one end appears on the other end. Now place both of the machines in public places, and arrange for a friend to use one of the machines to communicate with you. When you arrive at your terminal, someone starts typing. How do you know that your friend is originating the message, rather than someone else who just happened to walk up?
Modern encryption protocols let you establish a connection that, if not 100% secure (if such a thing is even possible), is sufficiently hard to crack that it's generally not worthwhile to do so. When you connect to your bank, you can assume that the connection is secure. Similarly, when you connect to a site with a self-signed certificate, you can be fairly certain that no one is eavesdropping. However, you can't be certain that the person at the far end is really who you expect.
At the moment, Domain Name System Security Extensions (DNSSEC) isn't widely deployed. When you connect to a remote server, you typically do so by entering a host name. Your computer turns the host name into an IP address using a completely insecure protocol. If you're on a WiFi network, for example, it's trivial for someone else on the same network to return a fake result to you. When you connect to "my.trusted.bank.com," you'll actually be connecting to that person's laptop. Then you establish a completely secure connection to that unintended recipient, who in turn might establish a completely secure connection to your bank-and intercept (or even modify) all of your traffic.
The point of the signature is to give a bit more support to a recipient's claim that it's really your bank. This is why browsers warn you if you visit a site with a self-signed certificate: If you visit your bank online and get a secure connection with a self-signed certificate, you want to be informed that it probably really isn't your bank.
