I sort of agree with the sentiments expressed by Shalendra Chhabra. The value added by M$ or verisign is questionable. I would rather I could pop over to my local bank and get a cert. They know me and I trust them. I do not trust Verisign.
I have said this before in this group and I will repeat it. I see nothing that would stop a felon in prison from incorporating a company and getting a cert. The bottom line is that the theory is fine... but in practice I feel commercial CA's should be institututions that we already trust - like the local bank or law office. Trusting verisign or Microsoft is questionable. I also feel it is somewhat ludicrus that my local bank should be expected to shell out $1000's so they can get a cert that allows them to re-issue certs. IMHO this is just a racket. In practice I think "good" works like this. Any cert that does not fire up a warning message from the windows machine running the browser would be considered good. This means that one can use any of many ways to load a "good" cert into the machine. Windows has a LOT of exploits. Security is only as strong as the weakest link. This means the end user is probably the biggest security weakness in most cases. Simply pop up a dialog that asks the user to download the cert you want as a prior step. Perhaps write a signed active-x control and use it to install your own cert. If the machine is vulnerable to a virus then one can use that hole to install a cert. Am I wrong? On Tue, Jun 04, 2002 at 10:27:34AM -0500, Mark H. Wood wrote: > On 4 Jun 2002, Shalendra Chhabra wrote: > > 1. I am able to generate Certificate and Private Key > > using command line options in Openssl. > > can someone tell me are they considered good? and if they are good > > why do we need Certificates from companies like > > Microsoft, Verisign??????????? > > Considered good by whom, and what does "good" mean? Certificates produced > using OpenSSL ought to be just as good in the mathematical sense as anyone > else's. What those certificates *mean* depends on just how hard the > issuer works to prove that the entity requesting the certificate is > providing a valid identity to be bound to the requested certificate. > > Certificates from recognized commercial CAs have considerable value > because we believe that those CAs do a reasonable job of verifying > identity. Certificates issued by the experimental OpenSSL-based CA I have > on my office workstation have no particular value, and in fact my CPS says > so. Certificates issued by random CAs set up with Microsoft's cert. > management tools have value in proportion to the trust you place in the > person running the CA and the security of the CA host machine. > > Commercial certificates for e.g. web servers have other value as well, in > that most Web browsers will already be set up to trust those CAs. If you > mint your own cert.s using OpenSSL or the Windows gadget, nobody will have > heard of your CA so you have to convince them that you're trustworthy > before they'll add your CA's self-signed cert. to their store of trusted > authorities. (Of course, some people don't require much convincing.) A > private CA is probably best used for internal projects only, since it's a > lot easier to develop the necessary trust within a small, closed > community. > > The MS gadget has one other thing going for it: it's all wrapped up in a > pretty package so that you can just push a few buttons and have a private > CA ready for use. OTOH OpenSSL lets you see what it is doing, and it's > flexible enough to do a lot more than just issue magic numbers. > > -- > Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] > MS Windows *is* user-friendly, but only for certain values of "user". > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]