[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-developers] Re: Secure Certificate
- Subject: RE: [cobalt-developers] Re: Secure Certificate
- From: "Matthew Nuzum" <cobalt@xxxxxxxxxxxxx>
- Date: Wed Jul 17 08:13:01 2002
- Organization: Bearfruit.org
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
>
> OWSA> How dose some other servers I see run ssl under there
> OWSA> servers for there clients with the certificate from
> OWSA> root???
>
> In addition to what Gerald correctly stated: blanket certs.
> One pays, say, about five times as much for
>
> *.somedomain.tld
>
> for which there is no limit on "*" subdomains.
>
> I contend that
>
> secure.somedomain.tld/customer/
>
> is a security risk. The certificate validates the provider, but
> what is to stop me from signing up with them, using a valid cert,
> and impersonating a competitor that they host?
>
> An individual cert validates as well as encrypts -- at least in
> theory.
>
> Eddy
> --
These are good points, and Marcos Gurgel offered a link that also
provides a workable solution.
What Eddy is alluding to in this e-mail is that there are two uses for a
secure certificate; it encrypts traffic AND it verifies that the site
manager is who they say they are. If you've purchased a cert before,
you'll know that the process involves business checks and proving your
identity.
If you use a shared cert, you lose 1/2 of the functionality of the
certificate. Any of us with a raq server or openssl software can
generate our own certificates that provide the same level of encryption
as a standard cert from the big CAs. There just is no verification that
the party is who they say they are. That's what you're paying for with
Thawte or Verisign.
Matthew Nuzum
www.bearfruit.org
cobalt@xxxxxxxxxxxxx