[CLUE-Tech] cheap/free certificate authorities
David Anselmi
anselmi at anselmi.us
Fri Jun 18 17:19:31 MDT 2004
Brandon N wrote:
[...]
> I'm just curious if others have had any experience with CA's, and have
> any tips. Also, does anyone know of javascript, php or something
> script that will point users to the cacert root certificate if it
> notices they don't have it?
I've commented before (here or on CLUE Admin) that I don't think CAs are
worth what they charge. And more so if their root certs aren't
preinstalled (but that's me, YMMV).
As for getting the root cert to the users, if Apache has the right MIME
type for the cert, Mozilla will do something sensible when a cert is
downloaded. IE does something different, I don't remember if it is
sensible or not. (You can link to the root cert at the CA, or keep a
copy on your server.)
It isn't a question of the server detecting that the client needs the
cert--for verification the server probably provides the whole cert chain
anyway. It's a question of the browser trusting the root cert (if you
find a way to do that in javascript, send it to bugtraq).
You should definately provide clear directions in an obvious place about
installing the root cert into the user's browser. And I would provide
an answer to "why should I trust this root cert" since that decision
will affect more than just your site. (Most users don't know enough to
ask that question, but providing a security education is a good thing IMO.)
Dave
More information about the clue-tech
mailing list