[linux-elitists] SSL security certificates

Rick Moen rick@linuxmafia.com
Thu Apr 10 15:30:52 PDT 2003

Quoting Modus Operandi (modus@as220.org):

> As far as I can tell, the only problem with self-signed certs is that
> the first time a browser encounters one, the user is warned that the
> cert cannot be verified to be trustworthy.

You got it.

> There are plenty of other cert authorities out there -- Thawte,
> Entrust, Comodo and dozens of others -- but what makes one more
> "trustworthy" than another?

In a fundamental sense, not one of them is "trustworthy".  To find out
whether they give you the user-perspective advantage you outline so
concisely above, examine which certificate authorities are listed in Web
browsers commonly used today (and in recent years, to take into account
unmaintained machines with old software).  

As to whether the certificate authorities _actually_ give any meaningful
assurance of anything:  No, they don't.  Bruce Schneier has an entire,
particularly scathing chapter of his book _Secrets and Lies_ where he
explains why they completely fail to deliver on the promise they seem to
be making.

And yet:  It's a commercial reality that e-commerce sites _must_ pay
Verisign et al their extortionate rates in order to avoid being swamped
by suspicious customer calls about their site not being "secure".

> And if I decide to go the self-signed route, what's a good resource to
> show me the quick and dirty way of rolling my own 128-bit cert?

Well, there's mine:
And yes, this _is_ how I do mine.

And before someone suggests it yet again:  The biggest reason there
isn't a cheap or free geek collective to run a certificate authority
with the aim of getting it included in common Web browsers is legal

Cheers,           "I don't like country music, but I don't mean to denigrate
Rick Moen         those who do.  And, for the people who like country music,
rick@linuxmafia.com         denigrate means 'put down'."      -- Bob Newhart

More information about the linux-elitists mailing list