[NTLUG:Discuss] Possible meeting presentation
David Stanaway
david at stanaway.net
Tue May 11 23:15:14 CDT 2010
On 5/11/2010 10:10 PM, Hank Ivy wrote:
> On Tuesday 11 May 2010 02:03 pm Chris Cox wrote:
>
>> On Mon, 2010-05-10 at 22:59 -0500, Leroy Tennison wrote:
>>
>>> I'm working on a presentation of openssl (NOT for this month's meeting)
>>> and wondering if there is sufficient interest. If so, what kinds of
>>> things should be covered:
>>>
>>> Cryptography background (kinds of keys, how it works)?
>>> What else?
>>>
>> Not sure we've ever had a dedicated presentation on OpenSSL. I think
>> it's a great idea. OpenSSL is used by SO much stuff.
>>
>> As for what to cover... not sure.... I think you could spend 5 meetings
>> if you tried to cover it all :-)
>>
>> So... IMHO, presenter's choice on what to cover...
>>
> Is there a way to set up a WEB server with SSl keys so Internet explorer does
> not complain about unknown keys without paying a Certification Authority, CA,
> money for a signed key? Or how much would it cost?
>
Do you manage the users of your site? If you can deliver your CA Cert to
their browsers keyring and make sure the subject name for the webserver
cert is used to access the webserver, then yes. If it is joe average,
then you need to get a cert on the webserver which is signed by a
trusted path from their web clients set of trusted CA certs.
CA certs can be had for fairly cheap if you look. EG, Comodo is a bit
cheaper than verisign.
Think of it the other way. What use is a cert that doesn't throw an
exception for the user if the service provider created the cert themself
and no 3rd party verification of the subject name being entitled to be
used by the requester is done.
Now the verification process used by these CAs is not exactly
bulletproof. I imagine it wouldn't be too difficult for someone to
register a domain that is a common typo of another domain and get a
trusted cert for it, then they spoof the target website and get a valid
padlock on the victims browser; so the protection gained by having a
trusted CA signed cert being verified and using the correct subject is
debatable.
More information about the Discuss
mailing list