Re[2]: [cobalt-security] self signed certificate warnings

[Eugene Crosser <crosser@xxxxxxxxxxx>]

On Thu, 21 Feb 2002 10:27:24 -0800 Jeff Lasman <jblists@xxxxxxxxxxxxx> wrote:

> > Usually you do not need a wildcard certificate.  This is not
> > advertized, but browsers (most of them?) do a "suffix match"
> > on the CNAME.  That is, purchase a certificate for "xyz.com",
> > and use it on the servers abc.xyz.com, def.xyz.com,
> > ghi.xyz.com - browsers will think that the name matches OK.

> Please let us know which browsers do this; it's not enough to know that

Last time I checked a year or more ago, it was Netscape
4.7something and I think IE that was recent at that moment.

> "browsers" will break the rules when it comes to domain certification.
>
> In fact it's dangerous behavior; I'd not want to use a browser that did
> it.

There are no "rules" on this matter; and common sense
says that if your company gets a second level domain and
CA certifies that it's yours, any subdomains of this
second level domain should automatically be considered
yours too.  So this is not dangerous but logical behavior.
It is only dangerous for the CA's revenue because they
will sell you less distinct certificates.

> > I'd like to add that this whole CA business makes
> > me uneasy.  Essentially, it is about making money out of
> > thin air (noticable income for a thing that requires near
> > zero work).  As such, it inevitably attracts the lovers
> > of easy money rather than trustworthy businesses.  Which
> > defeats the whole idea of a CA as a 100% trusted entity.
> 
> When Verisign first went into the business they earned their money; they
> went through a lot of hoops to make sure the company was who it says it
> was.
> 
> Now Thawte does less and charges less.  GeoTrust does still less and
> charges still less.
> 
> That seems to be a fair tradeoff.  If you want to have a cert from a
> U.S. company that knows who you are beyond a shadow of a doubt before
> issuing the cert, buy from Verisign, for somewhere around us$350 or so. 
> If you want to buy from a South African company that does less in the
> way of due diligence and charges less, buy from Thawte for us$125.  If
> you want to buy a GeoTrust cert from a company that verifies you can be
> reached at your domain and that you have the rights to the domain as
> enumerated in your registrar's whois database, buy from me for us$99
> <smile>.

Now tell me does it really cost $99 to run whois lookup and
then run "openssl ca <cert.req | mailx client@xxxxxxxxx"?

The business model is in fact this: make a deal with AOL
and Microsoft so they include your CA in the browser
package and start charging money from the web site owners.
Nothing to do with "trust".

OK, I've got too far off-topic, sorry for that...

Eugene