[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Self Signed Certs

On Sun, 11 Mar 2001, Wayne Sagar wrote:

> 
 > I've seen mention of a "self signed" ssl cert... is this an open source
(ie: free) means to gain an ssl cert?

Not really, 'self signed' means that you claim it is valid instead of a
known certifying authority such as thawte or verisign, eg, because you
made it yourself. If a user accesses the site the browser warns them of
this very fact and tells them that it doesn't not really know if the
certificate is in fact valid, and shows them the information in the
certificate (your name etc) so they can decide for themselves, since the
average web user hasn't the slghtest clue you you may be, the cert has no
value for certifying your identity.
*Note that the browsers come with matching 'CA' keys that match the
certifying authorities, this is how the browser knows up front (most of
the time) that the signed certificates are in fact signed by an authority.
[This is also why old browsers sometimes have problems with newer
authorities, they don't have the needed keys, this has causes some initial
problems for folks using newer CA's to sign keys]

A self-signed cert does how allow encryption if the user is willing to
accept it.
This is why it is sometimes usefull to make self signed certs, eg *you*
know who you are, so using it yourself just to encrypt a connection to
your server's admin page makes perfect sense...

It is also very usefull for testing SSL since it works more or less the
way a signed certificate works and it doesn't cost you anything to make it
and use it for testing ...

 open source != free ;)

Part of what the certifying authorities are in fact charging you for is
the cost of doing a check to see if in fact you are who you claim to be,
this is what the value of a certificate is, it saves everyone who accesses
a site from having to spend 3 days figuring out if you are who you say,
or just some fictcious person(domain) who's gonna grab the credit card and
run ;-

Since i seem to be on a roll..

There are two other issues with certs, wildcard certs, and shared certs.

Shared certs are , unfortunatly, rather common, often ISP's create a cert
for themselves, and allow other sites they host to use it, the problem
with this approoach , other than technical issues, is the cert is only
saying the isp is who they claim to be, it says nothing about the
customers identity, while the isp may be in a position to actually know
for certain the customer is legit, they also may not, using certs in
this way is, ihmo, questionable, tho it is still done rather widely..(it
also violates the certifiate usage agreement for some CA's)

Wildcard Certs are similar in concept, except they are in fact intended
to be used for multiple names, or more precicely, sets of hostnames with a
matching domain(zone) name, in this case the certificate is
basicly saying the domain is known , and the holder of the certificate is
guaranteeing the hosts within that subdomain are related to itself.

Note the wonderfull oppertunity for abuse here, a Wildcard cert for
isp.com will appear valid for JoesToys.isp.com , this is NOT what it is
intended for ;) Well, unless isp.com has given up and decided to go into
the lucrative electronic toy distribution business -/

What it is intended for is to allow several related sites like
north.toys.com and south.toys.com to all have the same cert...


ok, end soapbox -/


gsh