Re: AW: Does a root CA need two certificates?

Wed, 19 Jan 2005 04:07:09 -0800 

R. Markham wrote:



The data is no less secure true.. but the authentication is much easier
for someone to fake since the certificate chain doesn't go through a
trusted third party (Root CA) the person says "This is me. End of story"
and you choose whether you believe it or not.



Hi Shaun,

I don't understand why is a root CA which everybody can download from the
internet is more secure than if I use my own CA.

The trick is not that everyone can download it, the trick is that (hopefully) no evil one can modify it. So Bill Gates certifies (by including the CA-certs on his distribution CDs or digitaly signing the new Certs for distribution via Windows Update) that those CA-certs are good CA-certs (I personally disagree sometimes, but that's another story).
If you download a CA-bundle from somewhere else you should make sure that the source ist trustworthy and noone has modified it, typically by checking a digital signature or using a secure download.
Of course there are several possibilities to get your fingers in between in this procedure, but if you just give me a certificate and say "this is mine" I have no assurance that I'm receiving what you sent.

I want to make it clear I am not against using Certificates from an official CA. But in some cases you
can save your money as a expenses for the certificate if you use your self
signed certificate. If you want that only authenticated user can have
access, than you can use SSLVerifyClient in Apache.


You are completely right. There are lots of cases where you can use a self signed CA even more secure that those "official" ones. But internet applications (in the sense of "my clients have nothing else to do with me") usually are not among them.
It alway depends on having a "secure" (or "a bit more secure than unauthenticated internet") channel to distribute the CA-certificates. And of course the trust in the CAs themselves.

Regards

Richard
[...]


BTW, there is no offense intended by my side, I'm just trying to clarify this. ;)
Ted

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature

Reply via email to