Ignorant of SSL: I have a dumb question

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Ignorant of SSL: I have a dumb question

lwoods
I don't understand why anyone would spend the money for Verisign or Thawte for a certificate if you could use OpenSSL.

Can you explain...or point me to some white paper, etc. that would explain this for me.

Thanks

lwoods
Reply | Threaded
Open this post in threaded view
|

Re: Ignorant of SSL: I have a dumb question

Bernhard Fröhlich-2
lwoods (sent by Nabble.com) wrote:

> I don't understand why anyone would spend the money for Verisign or
> Thawte for a certificate if you could use OpenSSL.
>
> Can you explain...or point me to some white paper, etc. that would
> explain this for me.
> <http://www.nabble.com/Ignorant-of-SSL%3A-I-have-a-dumb-question-t664688.html#a1764527>

Oh, I think it's just because my browser (like almost all other browsers
on the internet) won't trust a self-signed certificate you create
yourself. On the other hand almost all internet browsers will trust
certificates signed by Thawte or Verisign because teir CA certs are
included in most browser's initial list of trusted CAs.

So if you can get your CA certificate included in Microsoft's and
Mozilla's CA list (which is possible but IMHO not trivial, and it will
cost you some money) you could sell certificates just like Thawte and
Verisign.

BTW, it is possible to get certificates from such "well known" CAs for
free, for example Thawte's freemail certificates (see
http://www.thawte.com/secure-email/personal-email-certificates/index.html).

Hope it helps.
Ted
;)

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ignorant of SSL: I have a dumb question

lwoods
Thanks, much.

I have an application that is wanting me to add an OpenSSL certificate to my server, but the application will be communicating server-to-server over SSL.  Therefore, the browser "problem" won't be one, right?

lwoods
Reply | Threaded
Open this post in threaded view
|

RE: Ignorant of SSL: I have a dumb question

JoelKatz

> I have an application that is wanting me to add an OpenSSL certificate
> to my server, but the application will be communicating server-to-server
> over SSL.  Therefore, the browser "problem" won't be one, right?

        This is actually a very complex question, and anyone who answers it without
first asking you what your application is and what threats it needs to
protect against is doing you a disservice.

        The purpose of a third-party certificate is to validate the identity of the
endpoint presenting that certificate. Whether or not you need this depends
upon:

        1) Do you need to validate the identity of the endpoint?

        2) Is testing for a certificate from a trusted third party sufficient? (Do
we trust them enough? How secure do we need to be?)

        3) Do we have any other way to validate the endpoint? For example, can we
embed its public key in the application?

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: RE: Ignorant of SSL: I have a dumb question

lwoods
I am communicating with PayPal via an SSL link.  They furnished the certificate for me to put on my server, then I had to run a bunch of command line stuff (Don't know what for).

lwoods
Reply | Threaded
Open this post in threaded view
|

RE: Ignorant of SSL: I have a dumb question

Alok-7
In reply to this post by lwoods
Try saying that to a web banking manager :-)


________________________________________
From: [hidden email]
[mailto:[hidden email]] On Behalf Of lwoods (sent by
Nabble.com)
Sent: Saturday, December 03, 2005 10:22 AM
To: [hidden email]
Subject: Ignorant of SSL: I have a dumb question

I don't understand why anyone would spend the money for Verisign or Thawte
for a certificate if you could use OpenSSL.

Can you explain...or point me to some white paper, etc. that would explain
this for me.

Thanks

lwoods
________________________________________
Sent from the OpenSSL - User forum at Nabble.com:
Ignorant of SSL: I have a dumb question


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: RE: Ignorant of SSL: I have a dumb question

lwoods
Which?  Why Verisign, or why Paypal?

Thanks

lwoods