Hi John,
On Fri, Mar 03, 2000 at 10:06:19AM -0000, Airey, John wrote:
> Assuming we are talking about Thawte's server test certificates, they are
> only for use for one month. Using them helps you to understand how to
> install a real certificate without running the risk of destroying it (a very
> real risk with NT!)
Not really true. You can set the validity up to 365 days.
> They are not intended for production use. Thawte's own certificates are
> accepted by all browsers (AFAIK) and prove to those who connect to your site
> that you are the company that you say you are. This is what you pay for, and
> if you ask me it's well worth the money.
>
> If you don't intend to connect your site to the outside world, you can make
> your own certificates anyway. The documentation to do that comes with
> openssl.
>
> John
I'm NOT using SSL for ecommerce so "proving" something is worthless to me.
My entire and sole use for SSL on my web server is to ENCRYPT TRAFFIC. That
is, I don't CARE if someone believes I am who I say I am, but I very much
care that the CONTENT is not able to be picked off in transit.
For example, I receive faxes on my systems and store them in a private,
password-secured web directory. By ensuring that any access to that
directory or its contents requires SSL, I ensure that nobody can pick off
the traffic in transit and SEE the faxes that I may view from a remote
location. Since I use my fax system for things that I would consider
PRIVATE, this is important to me.
In this case I know damn well that I am who I say that I am, because I'm the
one connecting to the server. My *ONLY* use for SSL here is to PROTECT THE
DATA, *NOT* certify ownership.
Likewise, I might want to make data available to another person that I (1)
want to password protect for them, and (2) want to make CERTAIN is not
compromised in transit. HTTPS again does the job, but again, the
"certification" of who I claim to be is IRRELAVENT to the process.
There is NO WAY under the current paradigm that I've found to do this
without popping up warnings on every browser in existence. This is a
severe and serious shortcoming in the SSL software in those browsers,
as not *EVERYONE* is interested in using SSL for Ecommerce where the
identity of the owner of the connection is important!
As it stands I'll buy a cert from Thawte if I can jump through their hoops,
but for some people it is inherently NOT WHAT THEY WANT TO DO in passing
encrypted traffic (eg: vetting that the sender is who they say they are).
In fact, for SOME potential uses of secure communication, it is absolutely
anathema that either end be positively identifyable in this kind of fashion.
This is something that you SSL folks need to look into finding a way to
resolve - perhaps a public "CA" similar to the MIT keyring for PGP keys is
called for here - a place where you can "sign" a key but not jump through
said hoops, yet keep the silly warnings off the user's computers!
--
--
Karl Denninger ([EMAIL PROTECTED]) Web: http://childrens-justice.org
Isn't it time we started putting KIDS first? See the above URL for
a plan to do exactly that!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
