[plug] Alternatives to Verisign/Thawte
James Devenish
devenish at guild.uwa.edu.au
Thu Sep 18 19:17:56 WST 2003
In message <1063882675.1692.18.camel at latte.internal.itmaze.com.au>
on Thu, Sep 18, 2003 at 06:57:55PM +0800, Onno Benschop wrote:
> you really, really don't need to use a Certificate Authority to get an
> SSL server certificate.
Correct... (Though, of course, we're using TLS now, right ;)
> My understanding is that for a server certificate to be from a CA is
> only useful in any way if you're taking money off a client where there
> is no prior relationship between you and the client.
Consider that many uses of web PKI will be between a site and a *new*
user or an old user who is not using the same machine all the time (e.g.
secure webmail from Internet cafes). Not only will such people receive
undesirable warnings from their browsers, but some browsers (e.g.
Internet Explorer) make users jump through elaborate hoops to get rid of
"those annoying messages". Also, consider that PKI is providing
*authentication* as well as *encryption*. It is fine to say that your
regular webmail users would "know" that they're receiving a trustable
certificate from your site, but that's completely ruining the
authentication mechanism. If you *only* need encryption then you are
quite correct.
_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
More information about the plug
mailing list