[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: [cobalt-security] self signed certificate warnings
- Subject: Re[2]: [cobalt-security] self signed certificate warnings
- From: Eugene Crosser <crosser@xxxxxxxxxxx>
- Date: Thu, 21 Feb 2002 09:40:26 +0300 (MSK)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Wed, 20 Feb 2002 16:26:56 -0800 Jeff Lasman <jblists@xxxxxxxxxxxxx> wrote:
> > > I know of ONE way that will take care of this problem definitively,
> and
> > > that is to buy a wildcard cert from Thawte. However, they now charge
> > > per domain, which is extremely limiting to me.
> >
> > Some CA's (Verisign?) can sell you a CA certificate that
> > would allow you to sign your sites' certificates, and
> > still have them recognized as valid by brousers. Of course
> > this is not cheap.
>
> Check www.geotrust.com. They've got a wildcard certificate available
> for *.yourdomain.com for us$400.
Usually you do not need a wildcard certificate. This is not
advertized, but browsers (most of them?) do a "suffix match"
on the CNAME. That is, purchase a certificate for "xyz.com",
and use it on the servers abc.xyz.com, def.xyz.com,
ghi.xyz.com - browsers will think that the name matches OK.
But I was talking about a *different* thing: that you can
buy a certificate that entitles you as a ("local") CA,
so that you can issue site certificates yourself.
I'd like to add that this whole CA business makes
me uneasy. Essentially, it is about making money out of
thin air (noticable income for a thing that requires near
zero work). As such, it inevitably attracts the lovers
of easy money rather than trustworthy businesses. Which
defeats the whole idea of a CA as a 100% trusted entity.
Eugene