httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From János Löbb <janos.l...@yale.edu>
Subject Re: [users@httpd] Re: Low priced certificate?
Date Wed, 22 Jul 2009 15:56:38 GMT

On Jul 22, 2009, at 11:40 AM, Mark H. Wood wrote:

> On Wed, Jul 22, 2009 at 03:09:25PM +0200, André Warnier wrote:
>> While not contradicting the essence of the above, I would like to  
>> know
>> something for my own edification, if some expert could comment.
>
> I don't think of myself as an expert, but I'm free with my  
> opinions. :-)
>
> [a desire to secure communication among a small, select group using  
> SSL]
>> It is my understanding that we could set up our own "certificate  
>> authority"
>> (CA) and create our own server certificates.  A customer browser,  
>> upon the
>> first connection, would pop up some message indicating that it  
>> cannot verify
>> this certificate, and offering maybe to "authorise" our own CA as a  
>> valid
>> one.  Once they did this, the popup would not happen again, and their
>> communications with the website would be encrypted (which is the  
>> main point
>> of the exercise).
>>
>> I understand that, in case their DNS system is compromised, they  
>> could land
>> onto another website pretending to be ours, and thus accept this  
>> other
>> website certificate and CA.
>> But I consider this possibility as relatively unlikely, and easily  
>> detected
>> by the customers themselves once they proceed. (*)
>>
>> Is anything wrong with the above thinking ?
>
> I don't think there's anything wrong, since your judgment of your risk
> is your own to make, but I do want to suggest that you might consider
> delivering your CA certificate in advance by other means.
>
> A CA certificate, in isolation, is an *unsubstantiated*, *untestable*
> assertion of identity and authority.

A good CA is similar to good wine.  It is getting better with age.   
One of the oldest unsubstantiated and untestable assertion of identity  
and authority was announced by Jesus about 2000 years ago:  "I am who  
I am" ......and with time about 2 billion people know it :)


>  It should be delivered either
> directly from the CA to the trusting party, or via a mutually trusted
> third party.  (If you have a site which is secured by a commercial
> certificate that your partners can verify, that might qualify as a
> trusted mechanism.)
>
> I dislike the idea of training people to accept identity "proofs" from
> sources that could turn out to be random strangers, or to bypass
> warnings.  Unlikely though such an attack may be, such training sets
> people up to think in ways that tend to compromise security.  It
> should be the norm to expect a verifiable exchange when agreeing to
> trust.
>
> I do think it is quite sensible to set up a private CA for the purpose
> you describe, and to rely on its certificates for privacy.  I only
> think that the distribution of the CA's own certificate should be
> done very carefully, since it is the key to the whole security
> infrastructure that you want to build.
>
> -- 
> Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
> Friends don't let friends publish revisable-form documents.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message