Re: CRIME SSL Certificates

From: Jacob Redding (Jacob@private)
Date: Sun Nov 09 2003 - 10:29:17 PST

Next message: Shaun Savage: "CRIME Forensic problem"

Previous message: George Heuston: "No CRIME Meeting next Tuesday"
In reply to: Shaun Savage: "Re: CRIME SSL Certificates"
Next in thread: Todd Ellner: "Re: CRIME SSL Certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  That's good information to know.

Thank-you,
Jacob Redding

Quoting Shaun Savage <savages@private>:

> In Oregon, I remember I read that it takes $500 and an audit with in 90 
> days, then you are a certified CA "in the state of Oregon". This means 
> that certs signed by your CA cert can be used as official digital 
> signature and supported by law. I read it once, but I could not find the 
> law again.
> 
> The browser mozilla has a list of valid CA, RSA, VISA, GTE,....  you 
> might want to try one of those.
> 
> For a company internal security then a local CA is fine.  If the cert is 
> to be used external then being an official CA in the state of Oregon 
> would require the browser makers to include your root cert.
> 
> Shaun
> 
> 
> Jacob E. Redding wrote:
> >   Shaun, 
> >      What is it about Oregon as compared to other states that make it easy
> to
> > become a CA? 
> >      I have setup several internal CAs for companies and issued many many
> > self-signed certificate, but as Crispin pointed out they aren't trusted by
> the
> > browser (unless the user says Yes the first time). 
> > 
> >      I am a little confused about the Oregon CA comments, thank you in
> advance
> > for the clarification. 
> > 
> > -Jacob Redding
> > 
> > 
> > Quoting Crispin Cowan <crispin@private>:
> > 
> > 
> >>Shaun Savage wrote:
> >>
> >>
> >>>You can make your certs your self.
> >>>In Oregon, it is easy to become a Certificate Authority (CA) by 
> >>>registering with the state.
> >>>Have your company become a CA for your company. 
> >>
> >>... with the nasty little disadvantage that none of the users' browsers 
> >>will recognize the self-signed certificates. This business of being a CA 
> >>with your public key embedded in the common browsers is an interesting 
> >>little racket :)
> >>
> >>
> >>>I have used Thawte, but they are a part of Verisign now. 
> >>
> >>Thawte is the discount arm of VeriSign. At the time that VS bought 
> >>Thawte, VS had 60% of the cert market, Thawte had 30%, and a hundred 
> >>others shared the scrap. I'm simply amazed that the FTC let it go 
> >>through, as now VS has a defacto monopoly.
> >>
> >>Crispin
> >>
> 
> 


-- 
-Jacob

Next message: Shaun Savage: "CRIME Forensic problem"
Previous message: George Heuston: "No CRIME Meeting next Tuesday"
In reply to: Shaun Savage: "Re: CRIME SSL Certificates"
Next in thread: Todd Ellner: "Re: CRIME SSL Certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Nov 09 2003 - 11:07:35 PST