[CLUE-Tech] cheap/free certificate authorities

[Charles Oriez]

At 05:19 PM 6/18/2004 -0600, David Anselmi wrote:

>Brandon N wrote:
>[...]
>>I'm just curious if others have had any experience with CA's, and have
>>any tips.  Also, does anyone know of javascript, php or something
>>script that will point users to the cacert root certificate if it
>>notices they don't have it?
>
>I've commented before (here or on CLUE Admin) that I don't think CAs are 
>worth what they charge.  And more so if their root certs aren't 
>preinstalled (but that's me, YMMV).
>
>As for getting the root cert to the users, if Apache has the right MIME 
>type for the cert, Mozilla will do something sensible when a cert is 
>downloaded.  IE does something different, I don't remember if it is 
>sensible or not.  (You can link to the root cert at the CA, or keep a copy 
>on your server.)


what they do is not sensible.  also not logical.  I have one desktop 
running Win 2K (dual boot).  After verisign did its tld hijacking, I 
decided in a snit that I would no longer consider them a trustworthy CA, 
and deleted them from the CA table.  All went well until I went to upgrade 
the IE version I had on that machine.  What I discovered was that the M$FT 
updates relied not on an M$FT cert, but a verisign cert.  Rather than 
giving me an opportunity to decide whether to ignore the fact that they 
were offering a cert from what I considered an untrustworthy source, they 
aborted the update.  I had to restore verisign to my cert table to complete 
the MSFT update.  I asked on one of the MSFT usenet groups why they were 
using Verisign instead of their own certs, but never got a satisfactory answer.



Charles Oriez        coriez at oriez.org
**
Save the hermetic seals.