ssl certificate advice
Zachary Kline
kline.zachary at gmail.com
Mon Oct 19 19:41:28 EDT 2009
Hi Greg,
I'm not all that familiar with SSL, so this is a relatively unconsidered
opinion.
Personally, I'd think it'd probably be easier for you to import your own
root certificate on her laptop. From the sound of things, the odds of
her checking webmail from another pc are not very high. More over, you
get to use the certificate however you like, in your case for encryption
without so many strings attached.
All the best,
Zack.
On Mon, Oct 19, 2009 at 04:32:39PM -0700, Gregory Nowak wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all.
>
> I thought I'd throw this out there, to see what kind of ideas I get
> back, and if there are maybe enough of the same type of responses to
> qualify as a majority consensus.
>
> I'm setting up a webmail account for my mother on my server, and she's
> transitioning from using webmail at a major ISP for the last 6 years
> or so. She checks her mail on her windows laptop, which spends all of
> its time so far sitting on her desk at home. She hasn't checked her
> webmail on a pc other than her laptop for the last 6 years as far as I
> know, but that can of course happen at any time.
>
> The webmail sessions have to be encrypted, she refuses to login to any
> account, if it doesn't have the lock icon, or if that lock icon
> doesn't look like it's supposed to. I know she'd also complain if
> internet explorer told her that there is a problem with a site's
> certificate every time she clicked a link to go to another page. So,
> to summarize, it has to go over https, even if it will just be over
> our wired lan, and ssl has to behave as it would for most other
> sites. Also, getting a commercial ssl certificate isn't an option, not
> at this point anyway.
>
> I am considering signing up with cacert.org, and getting a standard
> automatically signed certificate through their system, and importing
> their root cert on my mom's machine. However, cacert's emphasis is
> on authentication, (and rightly so). They even state on their site
> that their goal is to create a web of trust among all their users. On
> the other hand, I'm just interested in the encryption benefits of ssl
> in this case, and not in authentication.
>
> So, what I'm trying to decide is if it's worth it for me to sign up
> with cacert.org, thus getting a certificate signed by them, but in
> turn also being bound by responsibilities in their rather long, and
> many agreements, or if it would be a better idea, considering the
> circumstances, and my goal of encryption vs. authentication, to simply
> import my own root cert on my mother's machine. From what I've seen,
> importing a root cert into windows for a user isn't a walk in the
> park, whereas cacert has an activex control that will import their
> root cert. This however isn't a major deciding factor for me. The way
> I see it, given that my mom checks her mail on her laptop, I'm better
> off importing my own root cert on her machine. She would get
> complaints from internet explorer, if she ever checked her mail on
> another machine, but at this point in time, it would be the same with
> cacert's root certificate also. As for other users who currently have
> accounts on my system, getting a cacert-signed certificate would
> benefit them in the long run, but at this point, there are only a
> couple of people with accounts here, and none of them use webmail from
> what I've seen based on my apache logs.
>
> So, what I'm trying to settle on is if it's worth it for me to sign up
> with cacert, the way things stand now with their root cert,
> (especially given that I'm not interested in authentication, and
> wouldn't be interested in meeting up with someone else to verify me,
> or for me to verify them, if that's possible), or if I should just
> import my root cert on my mom's machine. Any thoughts which would
> contribute in helping me to decide one way or the other, especially
> pointing out anything I over looked, would be appreciated, and thanks
> in advance.
>
> Greg
>
>
> - --
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
>
> - --
> Free domains: http://www.eu.org/ or mail dns-manager at EU.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkrc9xYACgkQ7s9z/XlyUyClEwCdGInlyqKV+3xw4+hmC4/tX/yW
> CEsAn3tvBRHWgccG+QYAYRoEyzaFDNxy
> =i79e
> -----END PGP SIGNATURE-----
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
More information about the Speakup
mailing list