[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] Are cheap SSL certificates legitimate?

Subject: Re: [SAGE] Are cheap SSL certificates legitimate?
From: Peter Burkholder <pburkholder@pobox.com>
Date: Fri, 19 Jan 2007 20:30:48 -0700
Cc: sage-members@sage.org
In-Reply-To: <20070120001725.GQ20885@hollenback.net>
References: <9516.1169229868@mental.com> <20070119135352.E38307@aphrodite.acf.aquezada.com> <D0AA9836-467D-4F89-8767-C8620F28B41B@stanford.edu> <45B125F8.8050307@negate.org> <55E31D63-F9CA-47B9-B503-3072C11D2F0A@stanford.edu> <45B12BAE.3070007@negate.org> <20070120001725.GQ20885@hollenback.net>
Sender: owner-sage-members@usenix.org


On Jan 19, 2007, at 5:17 PM, Philip J. Hollenback wrote:

> On 01/19/07, Jonathan Billings wrote:
>> The original poster's email indicated that it *was* for an internal
>> site (and that's why I qualified it as such).  No point paying for
>> something when the free alternative requires the same procedure.
>
> But in this case I think I have to pay for something.  Otherwise I
> will have to spend a large amount of time configuring all the
> different clients and operating systems.  So even though this is for
> internal use I still want to purchase certificates to minimize this
> work.  It isn't realistic to ask all users to configure their clients
> themselves.  Thus I really want to know if these 'cheap' certificates
> are sufficient and I'm not somehow opening myself up to some sort of
> security problem later on.

There's the outside chance that if a CA behaves badly, then browser  
vendors may cease to carry their certificates.  The Mozilla  
Foundation policy at

http://www.mozilla.org/projects/security/pki/nss/ca-certificates/ 
policy.html

states:

	We reserve the right to not include a particular CA certificate in  
our software products, to discontinue including a particular CA  
certificate in 	our products, or to modify the "trust bits" for a  
particular CA certificate included in our products, at any time and  
for any reason.

If El Cheapo CAs are distributing certs w/o taking due care to  
validate the requestor, or providing for CRL distribution, then they  
could have their certs yanked from future products.  I seem to recall  
that some of the CAs included in early Netscape are no longer in most  
browsers.  I don't know how many servers may have had certs issued by  
them.

Finding the Firefox 2.1 no longer carries your CA would be  
disappointing, but then again it's a pretty slim chance, and far from  
the end of the world.


>
> -- 
> Philip J. Hollenback
> www.hollenback.net

--
Peter Burkholder
email: pburkholder@pobox.com;  AIM: peterbtech;  Skype: pburkholder
phone: +1-303-497-2663 (work) or +1-303-359-4842 (cell)
http://www.pburkholder.com
PGP Key Fingerprint: B473 C1CF D8B0 7941 8F95  7627 4785 86C9 F1F4 81DC
PGP Key URL:  http://pburkholder.com/gpg.txt

References:
- Re: [SAGE] Are cheap SSL certificates legitimate?
  - From: Alexander Lobodzinski <lobo@mental.com>
- Re: [SAGE] Are cheap SSL certificates legitimate?
  - From: "Julian C. Dunn" <jdunn@aquezada.com>
- Re: [SAGE] Are cheap SSL certificates legitimate?
  - From: "Sandor W. Sklar" <ssklar@stanford.edu>
- Re: [SAGE] Are cheap SSL certificates legitimate?
  - From: Jonathan Billings <billings@negate.org>
- Re: [SAGE] Are cheap SSL certificates legitimate?
  - From: "Sandor W. Sklar" <ssklar@stanford.edu>
- Re: [SAGE] Are cheap SSL certificates legitimate?
  - From: Jonathan Billings <billings@negate.org>
- Re: [SAGE] Are cheap SSL certificates legitimate?
  - From: "Philip J. Hollenback" <philiph@pobox.com>

Prev by Date: Re: [SAGE] Are cheap SSL certificates legitimate?
Next by Date: Re: [SAGE] Subversion, passwords and ACLs
Prev by thread: Re: [SAGE] Are cheap SSL certificates legitimate?
Next by thread: [SAGE] Re: Are cheap SSL certificates legitimate?
Index(es):
- Date
- Thread