[CLUE-Admin] SSL cert for CLUE

[CLUE President]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 16 April 2004 6:03 pm, David Anselmi wrote:
> CLUE President wrote:
> [...]
>
> > This may be handy for such a low price ($39 per year).  The cheapest I
> > saw previously was $89 per year from go daddy.
> >
> > http://www.freessl.com/index.html
>
> Well, the good news is that their CA cert is included in Mozilla.
> Generally though I don't think CAs provide any value added so even $39
> is too much.

I disagree - they allow users to believe the site is trusted - because a) they 
may not know any better and b) if our cert is signed by a public key already 
in their browser, they won't even know the difference -- the key gets 
authenticated and added to their keystore.   So, the value is from the user's 
perspective.  I know you will disagree Dave, but our users may not understand 
public key cryptography.

> I would make my own CA and sign my own certs.  Put the root on the CLUE
> web site with prominent directions on installing it (that's what DoD
> does, since they have their own CA).  Send the cert fingerprint out to
> CLUE-Announce, put it in your sig, announce it at meetings, and so on

I think the self-signed cert could be problematic because it will confuse 
users when their web browser pops up with a self-signed warning message.  
Your suggestion of posting our CA cert all over the place puts the burden on 
the users to download it and then install it to avoid the self-signed 
warning.

For $39, you pay for the convenience that your users do not have to deal with 
our 'CLUE CA' cert not included with their browsers.

Another idea:  we could offer a CLUE CA service - where we sign the public 
keys of other LUGS; thereby becoming a 'trusted' source like Verisign.

> and you've got better security than buying one from FreeSSL or Verisign.

I'm not following - better security in terms of what?  The security of SSL is 
limited by the key length.  The commercial vendors offer the perception of 
trust -- that's it. 
>   (Interesting that they signed their site with their root CA cert
> rather than a subordinate signing cert like DoD does.  But they are
> almost certainly lower assurance than DoD.)

- From a user's perpective, what's the assurance that someone is not spoofing 
the CLUE web site with a spoofed public CLUE CA key?  They would have to go 
checking at least 2 sites to determine if the one they downloaded is valid.  
This is the point of trusted third parties.

OTH - The $39 pays for the convenience of using someone else's CA cert that is 
included (or at least more widely distributed) than our own generated one.

> Of course, if no one understands how a CA works then $39 is a bargain.

I'm not sure what you mean by this statement, either.  Who's no one?  Me?  
admins?  members?  everyone?

> OTOH, why bother with a cert?  What threat are we countering?  

In particular, our mailman users all have to send their passwords in the clear 
(Lynn and I discussed this after our mailman list admin password was 
compromised and our mailman admin page was hacked).   The recommended 'fix' 
for this (from the mailman web site) is to run list admin pages through SSL.

I personally would not like someone else to get into the admin pages and steal 
everyone's email address.  But maybe other people like spam.

Then there's the issue that users may want to visit CLUE and read the pages 
without their ISP or employer proxies (or No Such Agency) monitoring where 
and what they do.   I think this is a big issue.  Some sites only allow SSL 
access.  It's about privacy.

> Aren't there a dozen more immediate that we should worry about (like keeping
> things patched)?

Dave you're welcome to start working on it...  Should I pencil you in for next 
weekend?  :)

Later

- -- 
Colorado Linux Users and Enthusiasts (CLUE)
http://cluedenver.org/
Jeffery Cann, President


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD4DBQFAgM9v8E9qvtPugKYRAhnWAJjBzbEMPetHT3RF+JJBt+mj5vFxAJ9kf93f
MoRk5KsL7Sle9pvcvgVcLg==
=2xvk
-----END PGP SIGNATURE-----