[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] self signed certificate warnings

Subject: Re: [cobalt-security] self signed certificate warnings
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Date: Thu, 21 Feb 2002 10:27:24 -0800
Organization: nobaloney.net
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Eugene Crosser wrote:

> Usually you do not need a wildcard certificate.  This is not
> advertized, but browsers (most of them?) do a "suffix match"
> on the CNAME.  That is, purchase a certificate for "xyz.com",
> and use it on the servers abc.xyz.com, def.xyz.com,
> ghi.xyz.com - browsers will think that the name matches OK.

Eugene,

Please let us know which browsers do this; it's not enough to know that
"browsers" will break the rules when it comes to domain certification.

In fact it's dangerous behavior; I'd not want to use a browser that did
it.

> But I was talking about a *different* thing: that you can
> buy a certificate that entitles you as a ("local") CA,
> so that you can issue site certificates yourself.

That's a lot of money.  The last time I looked it was over us$10,000.

> I'd like to add that this whole CA business makes
> me uneasy.  Essentially, it is about making money out of
> thin air (noticable income for a thing that requires near
> zero work).  As such, it inevitably attracts the lovers
> of easy money rather than trustworthy businesses.  Which
> defeats the whole idea of a CA as a 100% trusted entity.

When Verisign first went into the business they earned their money; they
went through a lot of hoops to make sure the company was who it says it
was.

Now Thawte does less and charges less.  GeoTrust does still less and
charges still less.

That seems to be a fair tradeoff.  If you want to have a cert from a
U.S. company that knows who you are beyond a shadow of a doubt before
issuing the cert, buy from Verisign, for somewhere around us$350 or so. 
If you want to buy from a South African company that does less in the
way of due diligence and charges less, buy from Thawte for us$125.  If
you want to buy a GeoTrust cert from a company that verifies you can be
reached at your domain and that you have the rights to the domain as
enumerated in your registrar's whois database, buy from me for us$99
<smile>.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA  92517
voice: (909) 778-9980  *  fax: (702) 548-9484

Follow-Ups:
- Re: [cobalt-security] self signed certificate warnings
  - From: AYoung@Home
- Re[2]: [cobalt-security] self signed certificate warnings
  - From: Eugene Crosser

References:
- [cobalt-security] self signed certificate warnings
  - From: Matthew Nuzum
- Re: [cobalt-security] self signed certificate warnings
  - From: Eugene Crosser
- Re: [cobalt-security] self signed certificate warnings
  - From: Jeff Lasman
- Re[2]: [cobalt-security] self signed certificate warnings
  - From: Eugene Crosser

Prev by Date: Re: Re[2]: [cobalt-security] self signed certificate warnings
Next by Date: Re: [cobalt-security] self signed certificate warnings
Previous by thread: Re: [cobalt-security] self signed certificate warnings
Next by thread: Re: [cobalt-security] self signed certificate warnings

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index