[users@httpd] [OT] [users@httpd] Re: Low priced certificate?

[Peter Schober <pe...@univie.ac.at>]

* Boyle Owen <Ow...@six-group.com> [2009-07-22 14:43]:
> > -----Original Message-----
> > From: news [mailto:news@ger.gmane.org] On Behalf Of Nicholas Sherlock
> > > 
> > > Jfyi: you might also try free and not widely recognized,
> > > http://cacert.org/
> > 
> > Won't certificates signed by them be only useful for 
> > internally-deployed 
> > apps? They're not a trusted root on Windows so random browsers on the 
> > web will just get an "UNTRUSTED SITE! Get me out of here!" message.

You certainly can use any CA you want for anything you want.
For internal deployments you might as well skip SSL or roll your own
CA or whatever.
Either way, people have found cacert to be useful for their
requirements.

> It's worth remembering what a certificate is for; it is a document,
> undersigned by a third-party, that confirms that you are who you say you
> are. The third-party certificate signing authority is putting their
> reputation on the line and has a moral (even a legal) obligation to be
> certain you are bona fide.

In contrast to the "checks" most commercial offerings provide cacert
actually does verify who you are, via a web of trust (cf. pgp web of
trust), rules and documented procedures (afaik not RFC 3647-style, but
still).

A bit dated, but I'm sure you can find more recent similar exploits:

http://www.cert.org/advisories/CA-2001-04.html
"This problem is the result of a failure by the certificate authority
to correctly authenticate the recipient of a certificate. Verisign has
taken the appropriate action by revoking the certificates in
question. However, this in itself is insufficient to prevent the
malicious use of these certificates until a patch has been installed,
because Internet Explorer does not check for such revocations
automatically. Indeed, because the Certificates issued by Verisign do
not contain any information regarding where to check for a revocation,
Internet Explorer, or any browser, is unable to check for revocations
of these certificates."

Only recently the commercial offerings started offering the checks
they should always have done in the first place. But now with a
special price tag for "extended validation" certs...

But of course cacert only works where people import their root ca
(and/or intermediate ca) themselfs or have this some by someone.
At least until cacert manages to be included in webbrowser and/or OS
distribtions.
Also their policy states what kind of transactions you may or may
not rely on using their certs.

All this for a simple "jfyi"...

> Trying to get a cheap cert for your site is like a bus company
> getting cheap tyres for their buses...

Only that all bits are created equal (tyres are not, I suppose).
At least as long as MD5 is not used for the certs anymore[1] :)
The difference is in the checks performed by the CAs prior to issuing
any certificates, not the resulting artefact (cert, tyre).
-peter

[1] http://www.phreedom.org/research/rogue-ca/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org