[CLUE-Admin] SSL cert for CLUE
CLUE President
president at clue.denver.co.us
Sat Apr 17 00:32:11 MDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 16 April 2004 6:03 pm, David Anselmi wrote:
> CLUE President wrote:
> [...]
>
> > This may be handy for such a low price ($39 per year). The cheapest I
> > saw previously was $89 per year from go daddy.
> >
> > http://www.freessl.com/index.html
>
> Well, the good news is that their CA cert is included in Mozilla.
> Generally though I don't think CAs provide any value added so even $39
> is too much.
I disagree - they allow users to believe the site is trusted - because a) they
may not know any better and b) if our cert is signed by a public key already
in their browser, they won't even know the difference -- the key gets
authenticated and added to their keystore. So, the value is from the user's
perspective. I know you will disagree Dave, but our users may not understand
public key cryptography.
> I would make my own CA and sign my own certs. Put the root on the CLUE
> web site with prominent directions on installing it (that's what DoD
> does, since they have their own CA). Send the cert fingerprint out to
> CLUE-Announce, put it in your sig, announce it at meetings, and so on
I think the self-signed cert could be problematic because it will confuse
users when their web browser pops up with a self-signed warning message.
Your suggestion of posting our CA cert all over the place puts the burden on
the users to download it and then install it to avoid the self-signed
warning.
For $39, you pay for the convenience that your users do not have to deal with
our 'CLUE CA' cert not included with their browsers.
Another idea: we could offer a CLUE CA service - where we sign the public
keys of other LUGS; thereby becoming a 'trusted' source like Verisign.
> and you've got better security than buying one from FreeSSL or Verisign.
I'm not following - better security in terms of what? The security of SSL is
limited by the key length. The commercial vendors offer the perception of
trust -- that's it.
> (Interesting that they signed their site with their root CA cert
> rather than a subordinate signing cert like DoD does. But they are
> almost certainly lower assurance than DoD.)
- From a user's perpective, what's the assurance that someone is not spoofing
the CLUE web site with a spoofed public CLUE CA key? They would have to go
checking at least 2 sites to determine if the one they downloaded is valid.
This is the point of trusted third parties.
OTH - The $39 pays for the convenience of using someone else's CA cert that is
included (or at least more widely distributed) than our own generated one.
> Of course, if no one understands how a CA works then $39 is a bargain.
I'm not sure what you mean by this statement, either. Who's no one? Me?
admins? members? everyone?
> OTOH, why bother with a cert? What threat are we countering?
In particular, our mailman users all have to send their passwords in the clear
(Lynn and I discussed this after our mailman list admin password was
compromised and our mailman admin page was hacked). The recommended 'fix'
for this (from the mailman web site) is to run list admin pages through SSL.
I personally would not like someone else to get into the admin pages and steal
everyone's email address. But maybe other people like spam.
Then there's the issue that users may want to visit CLUE and read the pages
without their ISP or employer proxies (or No Such Agency) monitoring where
and what they do. I think this is a big issue. Some sites only allow SSL
access. It's about privacy.
> Aren't there a dozen more immediate that we should worry about (like keeping
> things patched)?
Dave you're welcome to start working on it... Should I pencil you in for next
weekend? :)
Later
- --
Colorado Linux Users and Enthusiasts (CLUE)
http://cluedenver.org/
Jeffery Cann, President
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD4DBQFAgM9v8E9qvtPugKYRAhnWAJjBzbEMPetHT3RF+JJBt+mj5vFxAJ9kf93f
MoRk5KsL7Sle9pvcvgVcLg==
=2xvk
-----END PGP SIGNATURE-----
More information about the clue-admin
mailing list