On Mon, Mar 06, 2000 at 09:48:47AM -0000, Airey, John wrote:
> >-----Original Message-----
> >From: Karl Denninger [mailto:[EMAIL PROTECTED]]
> >Sent: 03 March 2000 15:39
> >To: [EMAIL PROTECTED]
> >Subject: Re: Certificate questions...
>
>
> >Hi John,
>
> >On Fri, Mar 03, 2000 at 10:06:19AM -0000, Airey, John wrote:
> >> Assuming we are talking about Thawte's server test certificates, they are
> >> only for use for one month. Using them helps you to understand how to
> >> install a real certificate without running the risk of destroying it (a
> very
> >> real risk with NT!)
>
> >Not really true. You can set the validity up to 365 days.
>
> Obviously Thawte have changed their policy on test certificates then. I
> haven't used one for a while but they are a useful test of their certificate
> issuing procedure without running the risk of losing money because you get
> your csr wrong.
>
> Just to clarify, with Windows NT it is possible to install a certificate and
> private key without actually having a copy of them on disk, AFAIK (although
> it would be foolish not to keep a backup, wouldn't it?). If you need to
> reinstall NT, then you've lost them!
>
> Like I said, if this isn't a public site you can create your own. All a
> certificate does is prove who you are, but if you are only securing data for
> internal use, you hopefully know who you are anyway.
Well, I understand that, but it seems that people (including Thawte,
Microslug and Nutscrape) are missing the point.
There are to separate things that secure web servers do.
1. Authenticate who you're talking to, so that when you engage in
commerce you have some indication that the merchant you think you're
dealing with is really who you're dealing with.
2. Encrypt the data so that it cannot be intercepted between the
sending and receiving machines.
These are NOT the same function, and needing one of them does not imply
needing the other.
Yet, in today's world, you cannot have one without the other, which means
that to get EITHER you must pay someone.
Contrast this with PGP for email, in which I can publish a public key and
once you obtain it you're able to receive an encrypted communication from
me and decode the traffic. My generation of that key pair does not require
that it be "certified" by any third party.
--
--
Karl Denninger ([EMAIL PROTECTED]) Web: http://childrens-justice.org
Isn't it time we started putting KIDS first? See the above URL for
a plan to do exactly that!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
