In article <[EMAIL PROTECTED]>, Steve Kostecke <[EMAIL PROTECTED]> wrote: > On 2007-05-28, Per Jessen <[EMAIL PROTECTED]> wrote: > > Steve Kostecke wrote: > > > >>>> Are you offering to underwrite the cost of an SSL certificate for > >>>> us? > >>> > >>> You could try http://www.cacert.org/ > >> > >> I've considered that. However the cacert root certificate is not > >> preinstalled in MSIE. So you still have the issue of the scary dialog > >> box and the ensuing confusion.
> Cacert will send anyone a server cert. No verification is performed; all > you need is an e-mail address in the domain. How, exactly, is that a big > improvement over a self signed cert? They have two levels of certificate (this is also an issue with Verisign, etc. - most people trust all IE's root certificates, whereas some are better authenticated than others). Even the basic level verifies email routing. > They could just as well load the NTP root cert. The issue with certificates isn't about getting rid of the scary message, it is about getting rid of the reason for the scary message. If you are not able to use a trusted third party or to use alternatively authenticated means of distributing your certificate, e.g. sending the fingerprint as paper mail on headed paper when requested by paper mail, your best option is not to use SSL, as the real risk of a passive tap is very little more than that of a man in the middle tap. The message is scary, because the whole basis of SSL is undermined by self signed certificates. Although sold to the public as about encryption, SSL is really about authentication. Without authentication, you don't need certificates. CACERT's root certificates are much better publicised than ntp.isc's, and I believe are now in some browsers, so there is much less chance of being given a bogus root certificate. (The weakest link for most certificates is the browser distribution.) Theoretically, it is also possible to use SSL without a certificate. That would be honest, as the certificate is about authentication, not encryption, but I'm not sure that it is supported by servers, and therefore might not be supported by all browsers. _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
