Arcady Genkin wrote:
>
> The documentation states that being one's own CA is insecure in the
> Internet environment, while is acceptable on the intra-net. Could
> anyone explain the issues implied by that statement?
SSL is not less secure if you are your own CA, at least from a technical
point of view.
But the problem is that a CA is supposed to be a mutually trusted
neutral third party, that can guarantee to the server that the client is
who it says it is, and to the client that the server is who it says it
is.
If you are your own CA, chances are no one on the internet is going to
trust you.
In your situation though, I think it's of little or no importance.
>
> Also, to what extent is the user inconvenienced by an SSL site using
> certificate signed by a non-well-known authority? Are the browsers
> cooperative when it comes to adding such an authority to the list of
> known CAs?
I wouldn't count on Netscape or Microsoft to include your university's
self signed root CA certificate :-)
Still, that's not really a problem. The only inconvenience is that
clients will have to explicitely import you own root CA certificate just
once.
>
> We are planning on setting up a secure site for a university's
> computer lab for the instructors and students to use. So, the context
> is non-commercial environment where the users can trust us to provide
> valid certificates. They'll be connecting both via the local network
> and the Internet, though, and we'd like to know what we are risking by
> going the way of being our own CA.
>From what you tell, I'd say being your own CA is a very good solution.
Regards,
Jan
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
