Re: CRIME SSL Certificates

From: Shaun Savage (savages@private)
Date: Sun Nov 09 2003 - 07:32:31 PST

  • Next message: George Heuston: "No CRIME Meeting next Tuesday"

    In Oregon, I remember I read that it takes $500 and an audit with in 90 
    days, then you are a certified CA "in the state of Oregon". This means 
    that certs signed by your CA cert can be used as official digital 
    signature and supported by law. I read it once, but I could not find the 
    law again.
    
    The browser mozilla has a list of valid CA, RSA, VISA, GTE,....  you 
    might want to try one of those.
    
    For a company internal security then a local CA is fine.  If the cert is 
    to be used external then being an official CA in the state of Oregon 
    would require the browser makers to include your root cert.
    
    Shaun
    
    
    Jacob E. Redding wrote:
    >   Shaun, 
    >      What is it about Oregon as compared to other states that make it easy to
    > become a CA? 
    >      I have setup several internal CAs for companies and issued many many
    > self-signed certificate, but as Crispin pointed out they aren't trusted by the
    > browser (unless the user says Yes the first time). 
    > 
    >      I am a little confused about the Oregon CA comments, thank you in advance
    > for the clarification. 
    > 
    > -Jacob Redding
    > 
    > 
    > Quoting Crispin Cowan <crispin@private>:
    > 
    > 
    >>Shaun Savage wrote:
    >>
    >>
    >>>You can make your certs your self.
    >>>In Oregon, it is easy to become a Certificate Authority (CA) by 
    >>>registering with the state.
    >>>Have your company become a CA for your company. 
    >>
    >>... with the nasty little disadvantage that none of the users' browsers 
    >>will recognize the self-signed certificates. This business of being a CA 
    >>with your public key embedded in the common browsers is an interesting 
    >>little racket :)
    >>
    >>
    >>>I have used Thawte, but they are a part of Verisign now. 
    >>
    >>Thawte is the discount arm of VeriSign. At the time that VS bought 
    >>Thawte, VS had 60% of the cert market, Thawte had 30%, and a hundred 
    >>others shared the scrap. I'm simply amazed that the FTC let it go 
    >>through, as now VS has a defacto monopoly.
    >>
    >>Crispin
    >>
    



    This archive was generated by hypermail 2b30 : Sun Nov 09 2003 - 08:23:08 PST