[gentoo-user] OT - SSL certificate authorities

[gentoo-user] OT - SSL certificate authorities

[Antoine]

Hi,
We are going to set up ssl on a webserver at work and I guess that means 
we need a certificate... does anyone have any useful alternatives to 
Verisign? Are they really worth the name?
We are not going to be doing any monetary transactions but our clients 
are very security conscious (who isn't!) and I have no experience in 
these matters. I am certain the boss will want verisign, as he buys a 
lot of stuff just for the name but if I can offer him a comparable 
alternative at a fraction of the cost he may go for it.
Cheers
Antoine
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[John Jolet]

On Tuesday 15 November 2005 14:43, Antoine wrote:
> Hi,
> We are going to set up ssl on a webserver at work and I guess that means
> we need a certificate... does anyone have any useful alternatives to
> Verisign? Are they really worth the name?
> We are not going to be doing any monetary transactions but our clients
> are very security conscious (who isn't!) and I have no experience in
> these matters. I am certain the boss will want verisign, as he buys a
> lot of stuff just for the name but if I can offer him a comparable
> alternative at a fraction of the cost he may go for it.
> Cheers
> Antoine

Well, from a security aspect, you can't get more secure than being your own 
ca.  you sign all your own certificates.  of course, then the clients will 
see that your ca isn't trusted, but who the hell trusts verisign these days?  
not me.  not after that search engine crud they pulled a few years ago.

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
www.jolet.net
john@jolet.net
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[Jarry]

Antoine wrote:
> Hi,
> We are going to set up ssl on a webserver at work and I guess that means
> we need a certificate... does anyone have any useful alternatives to
> Verisign? Are they really worth the name?

Well, If you really need official certificate from some CA, have a look
in your web-browser, it has certificates for most known authorities
already installed (thawte, verisign, geotrust, Entrust.net, Equifax,
IPS Seguridad, just to name a few of them).

IMHO, Verisignt and Thawte are the best known (but I don't say they
are the best).

You may try using self-signed certificate, or get one from cacert\
free of charge:
http://gentoo-wiki.com/HOWTO_cacert.org_SSL_certificates

Jarry
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[Mike Williams]

On Tuesday 15 November 2005 20:43, Antoine wrote:
> We are going to set up ssl on a webserver at work and I guess that means
> we need a certificate... does anyone have any useful alternatives to
> Verisign? Are they really worth the name?
> We are not going to be doing any monetary transactions but our clients
> are very security conscious (who isn't!) and I have no experience in
> these matters. I am certain the boss will want verisign, as he buys a
> lot of stuff just for the name but if I can offer him a comparable
> alternative at a fraction of the cost he may go for it.

If these clients *know* you, and *trust* you, and know anything about 
security, there is no reason why you couldn't get away with a self-signed 
cert.
If not, http://www.instantssl.com/

Yes, I work for them.
No, I won't make any comment comparing us to anyone else.
No, I can't get you, or anyone else, a discount.
No, I can't give you any support, tell you anything about the internal 
workings, or disclose any detail on security procedures.

-- 
Mike Williams
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[John Jolet]

On Tuesday 15 November 2005 14:54, Jarry wrote:
> Antoine wrote:
> > Hi,
> > We are going to set up ssl on a webserver at work and I guess that means
> > we need a certificate... does anyone have any useful alternatives to
> > Verisign? Are they really worth the name?
>
> Well, If you really need official certificate from some CA, have a look
> in your web-browser, it has certificates for most known authorities
> already installed (thawte, verisign, geotrust, Entrust.net, Equifax,
> IPS Seguridad, just to name a few of them).
>
> IMHO, Verisignt and Thawte are the best known (but I don't say they
> are the best).
ha!  verisign bought thawte a few years ago...

>
> You may try using self-signed certificate, or get one from cacert\
> free of charge:
> http://gentoo-wiki.com/HOWTO_cacert.org_SSL_certificates
>
> Jarry

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
www.jolet.net
john@jolet.net
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[David Mallwitz]

Antoine wrote:
> Hi,
> We are going to set up ssl on a webserver at work and I guess that means 
> we need a certificate... does anyone have any useful alternatives to 
> Verisign? Are they really worth the name?
> We are not going to be doing any monetary transactions but our clients 
> are very security conscious (who isn't!) and I have no experience in 
> these matters. I am certain the boss will want verisign, as he buys a 
> lot of stuff just for the name but if I can offer him a comparable 
> alternative at a fraction of the cost he may go for it.
> Cheers
> Antoine

I prefer Geotrust (http://www.geotrust.com/) to Verisign for third party 
signed certificates. Remember that your web server must be properly 
configured (http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html) in 
order to offer any real security.

Best,
Dave

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[A. Khattri]

On Tue, 15 Nov 2005, Antoine wrote:

> We are going to set up ssl on a webserver at work and I guess that means
> we need a certificate... does anyone have any useful alternatives to
> Verisign? Are they really worth the name?
> We are not going to be doing any monetary transactions but our clients
> are very security conscious (who isn't!) and I have no experience in
> these matters. I am certain the boss will want verisign, as he buys a
> lot of stuff just for the name but if I can offer him a comparable
> alternative at a fraction of the cost he may go for it.

rapidssl.com

Cheap and fast.


-- 

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[kashani]

Antoine wrote:
> Hi,
> We are going to set up ssl on a webserver at work and I guess that means 
> we need a certificate... does anyone have any useful alternatives to 
> Verisign? Are they really worth the name?
> We are not going to be doing any monetary transactions but our clients 
> are very security conscious (who isn't!) and I have no experience in 
> these matters. I am certain the boss will want verisign, as he buys a 
> lot of stuff just for the name but if I can offer him a comparable 
> alternative at a fraction of the cost he may go for it.

	We've got a number of customers that use Geotrust which is 
significantly cheaper than Verisign/Thwate. Someone also uses Starfield 
which is dirt cheap.

	There is a technical issue when using certs no one has ever heard of 
before. Many times their cert company's root certs or whatever are not 
in the user's browser. In order to fix this you'll need install the cert 
company's intermediate cert or chain cert on your server so that the 
broswer can chain your new cert to a cert it already trusts.

SSLCACertificateFile conf/ssl.crt/starfield-chain.crt

kashani
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[Antoine]

kashani wrote:
> Antoine wrote:
> 
>> Hi,
>> We are going to set up ssl on a webserver at work and I guess that 
>> means we need a certificate... does anyone have any useful 
>> alternatives to Verisign? Are they really worth the name?
>> We are not going to be doing any monetary transactions but our clients 
>> are very security conscious (who isn't!) and I have no experience in 
>> these matters. I am certain the boss will want verisign, as he buys a 
>> lot of stuff just for the name but if I can offer him a comparable 
>> alternative at a fraction of the cost he may go for it.
...
Thanks for all your suggestions. I think we will just go for a 
self-signed because, at the end of the day, all our clients know us, and 
trust us.
Thanks again
Antoine
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[Antoine]

Remember that your web server must be properly
> configured (http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html) in 
> order to offer any real security.

The howto says SGC is only available with verisign - is this true?

Cheers
Antoine
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[Jonathan Nichols]

> If these clients *know* you, and *trust* you, and know anything about 
> security, there is no reason why you couldn't get away with a self-signed 
> cert.
> If not, http://www.instantssl.com/
> 

I can second this. I will be buying my mail server certs through 
InstantSSL in a few weeks. So far, I've heard nothing but good things 
about them, and their prices are excellent.

(No, I don't work there.)
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[A. Khattri]

On Wed, 16 Nov 2005, kashani wrote:

> 	We've got a number of customers that use Geotrust which is
> significantly cheaper than Verisign/Thwate. Someone also uses Starfield
> which is dirt cheap.
>
> 	There is a technical issue when using certs no one has ever heard of
> before. Many times their cert company's root certs or whatever are not
> in the user's browser.

GeoTrust claim to have their root cert in 99% of the browsers out there...



-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[kashani]

A. Khattri wrote:
> GeoTrust claim to have their root cert in 99% of the browsers out there...

Claims and actually works are two different things.

	For the record IE 5 on the Mac is your big problem child. If it works 
with a particular cert *AND* the SSL options/env you're passing then 
you're pretty much golden. However I'd still take 30 seconds to install 
the chain cert because I'm paranoid like that.

kashani
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

[A. Khattri]

On Sat, 19 Nov 2005, kashani wrote:

> A. Khattri wrote:
> > GeoTrust claim to have their root cert in 99% of the browsers out there...
>
> Claims and actually works are two different things.
>
> 	For the record IE 5 on the Mac is your big problem child.

IE 5 on Mac is a strange beast in many many ways (wearing my web developer
hat now ;-)


-- 

-- 
gentoo-user@gentoo.org mailing list