[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: [cobalt-security] self signed certificate warnings

Subject: Re: Re[2]: [cobalt-security] self signed certificate warnings
From: Matthew Nuzum <cobalt@xxxxxxxxxxxxx>
Date: 21 Feb 2002 10:56:00 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Thanks, these are some good points.
I am open to a wildcard cert for $400, and asked that if anyone had a
recommendation, to give it.

As far as this "local" ca is concerned, I am creating a somewhat "low
end" solution here and simply want to avoid some of the error messages
people are getting.

Thanks for the pointers in your e-mail, I was able to use that to get a
lot of detailed information.

Matt Nuzum

On Thu, 2002-02-21 at 01:40, Eugene Crosser wrote:
    On Wed, 20 Feb 2002 16:26:56 -0800 Jeff Lasman <jblists@xxxxxxxxxxxxx> wrote:
    
    > > > I know of ONE way that will take care of this problem definitively,
    > and
    > > > that is to buy a wildcard cert from Thawte.  However, they now charge
    > > > per domain, which is extremely limiting to me.
    > > 
    > > Some CA's (Verisign?) can sell you a CA certificate that
    > > would allow you to sign your sites' certificates, and
    > > still have them recognized as valid by brousers.  Of course
    > > this is not cheap.
    > 
    > Check www.geotrust.com.  They've got a wildcard certificate available
    > for *.yourdomain.com for us$400.
    
    Usually you do not need a wildcard certificate.  This is not
    advertized, but browsers (most of them?) do a "suffix match"
    on the CNAME.  That is, purchase a certificate for "xyz.com",
    and use it on the servers abc.xyz.com, def.xyz.com,
    ghi.xyz.com - browsers will think that the name matches OK.
    
    But I was talking about a *different* thing: that you can
    buy a certificate that entitles you as a ("local") CA,
    so that you can issue site certificates yourself.
    
    I'd like to add that this whole CA business makes
    me uneasy.  Essentially, it is about making money out of
    thin air (noticable income for a thing that requires near
    zero work).  As such, it inevitably attracts the lovers
    of easy money rather than trustworthy businesses.  Which
    defeats the whole idea of a CA as a 100% trusted entity.
    
    Eugene
    
    _______________________________________________
    cobalt-security mailing list
    cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- Re: [cobalt-security] self signed certificate warnings
  - From: Jeff Lasman

References:
- [cobalt-security] self signed certificate warnings
  - From: Matthew Nuzum
- Re: [cobalt-security] self signed certificate warnings
  - From: Eugene Crosser
- Re: [cobalt-security] self signed certificate warnings
  - From: Jeff Lasman
- Re[2]: [cobalt-security] self signed certificate warnings
  - From: Eugene Crosser

Prev by Date: Re: [cobalt-security] Securing Admin Pages
Next by Date: Re: [cobalt-security] self signed certificate warnings
Previous by thread: Re[2]: [cobalt-security] self signed certificate warnings
Next by thread: Re: [cobalt-security] self signed certificate warnings

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index