Re: SSL on a hosted site
At 05:18 PM 1/12/2005 -0700, L Nehring writeth: Have look at this http://www.schneier.com/paper-pki-ft.txt and some other papers on the that site. I run my own CA because I neither trust nor can I afford Verisign. There's no technical difference in the certs. best regards, Lance http://www.newparticles.com/ The only major issue with your own CA is that users will get a dialog box that might scare them off (your root is not in their trusted root). They are used to automatically getting dropped into a secure connection and a sudden change from the norm might make them panic (most Windows users have never seen the IE SSL security dialog before). There are lots of cheaper CAs than Verisign that are trusted by user's browsers. A lot of businesses in this corner of the world are just itching for cacert.org to come up with inclusion of their CA into user browsers (particularly IE) to finally drop Verisign/Thawte. I had a similar system set up a couple years ago and a number of people used it - theirs is only slightly more elaborate. The major problem with custom CAs is inclusion in browsers. I doubt cacert.org can sustain itself on free for very long - especially after inclusion. What they should be instead is something like CDDB - a secure database of root certificates. A browser only needs one certified CA then to get the database of root certs. This allows CAs to issue certs for free or a price or whatever and get included in all browsers every week after _they_ are certified. The browser merely checks the main server once a week for updates to the root database and adds the changes across a secured SSL connection. This method allows the super-paranoid-government-spies-are-everywhere people to issue a replacement CA certificate every week (obviously re-signing all signed certificate requests) versus the current once every ten years. Thomas J. Hruska [EMAIL PROTECTED] Shining Light Productions Home of the Nuclear Vision scripting language and ProtoNova web server. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL on a hosted site
Date: Wed, 12 Jan 2005 16:25:06 -0700 From: [EMAIL PROTECTED] Furthermore any felon in jail can have his lawyer register a company and then obtain a legit cert from pretty much any official certification authority. True, but not as bad as it sounds. The felon could register a web site and get a valid certificate attesting that he's the owner of the URL jailed-felon.com. Then you can establish an authenticated SSL connection to https:www.jailed-felon.com. So what? Nothing unexpected. What Joe Jailed Felon (aka JJ) cannot do is get a legitimate certificate saying he's terralogic.net. So he can prove that he's himself, but he can't impersonate you. -- Ken Goldman [EMAIL PROTECTED] 914-784-7646 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL on a hosted site
Can I install this on a hosted site? How does this ensure protection for my costomers? Besides the cost, is there a difference between these SSL certs and ones from Versign or another company? MikeLife is that which you make of it! Do you Yahoo!? The all-new My Yahoo! Get yours free!
Re: SSL on a hosted site
Usually I lurk but I can offer some suggestions. 1) it will depend on the hosting company 2) certs are the same. The issue is that windows knows about certs from companies like verisign and does know know about anything you generate yourself - however technically they are the same. 3) Technically it should be possible to install your own root cert in a client computer. This would make sense if you are doing this in an intranet environment (IE say corporate or government). This totally defeats the premise of having a certification authority. However we all know there is no security in most client computers anyways. (ha!) Furthermore any felon in jail can have his lawyer register a company and then obtain a legit cert from pretty much any official certification authority. On Wed, Jan 12, 2005 at 02:14:52PM -0800, Michael Jackson wrote: Can I install this on a hosted site? How does this ensure protection for my costomers? Besides the cost, is there a difference between these SSL certs and ones from Versign or another company? Mike Life is that which you make of it! - Do you Yahoo!? The all-new My Yahoo! Get yours free! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL on a hosted site
Would openssl be a good choice for creating my own certs? The host for my service is not on a intranet. It is a seperate entity such as godaddy.com. Is it still possible?[EMAIL PROTECTED] wrote: Usually I lurk but I can offer some suggestions.1) it will depend on the hosting company2) certs are the same. The issue is that windows knows about certs from companies like verisign and does know know about anything you generate yourself - however technically they are the same.3) Technically it should be possible to install your own root cert in a client computer. This would make sense if you are doing this in an intranet environment (IE say corporate or government). This totally defeats the premise of having a certification authority. However we all know there is no security in most client computers anyways. (ha!) Furthermore any felon in jail can have his lawyer register a company and then obtain a legit cert from pretty much any official certification authority. On Wed, Jan 12, 2005 at 02:14:52PM -0800, Michael Jackson wrote: ; Can I install this on a hosted site? How does this ensure protection for my costomers? Besides the cost, is there a difference between these SSL certs and ones from Versign or another company? Mike Life is that which you make of it! - Do you Yahoo!? The all-new My Yahoo! Get yours free! __OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]Life is that which you make of it! Do you Yahoo!? The all-new My Yahoo! What will yours do?
Re: SSL on a hosted site
Have look at this http://www.schneier.com/paper-pki-ft.txt and some other papers on the that site. I run my own CA because I neither trust nor can I afford Verisign. There's no technical difference in the certs. best regards, Lance http://www.newparticles.com/ Michael Jackson wrote: Can I install this on a hosted site? How does this ensure protection for my costomers? Besides the cost, is there a difference between these SSL certs and ones from Versign or another company? Mike Life is that which you make of it! Do you Yahoo!? The all-new My Yahoo! http://my.yahoo.com Get yours free! smime.p7s Description: S/MIME Cryptographic Signature
