ssl certificate advice

John G. Heim jheim at math.wisc.edu
Tue Oct 20 10:06:26 EDT 2009


Personally, I think signing up at cacert.org is worth the trouble. You get 
that out of the way and from then on generating and keeping track of your 
certificates is a breeze. If you need to reinstall a cert, it's right there 
on their web site.

----- Original Message ----- 
From: "Gregory Nowak" <greg at romuald.net.eu.org>
To: <speakup at braille.uwo.ca>
Sent: Monday, October 19, 2009 6:32 PM
Subject: ssl certificate advice


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all.
>
> I thought I'd throw this out there, to see what kind of ideas I get
> back, and if there are maybe enough of the same type of responses to
> qualify as a majority consensus.
>
> I'm setting up a webmail account for my mother on my server, and she's
> transitioning from using webmail at a major ISP for the last 6 years
> or so. She checks her mail on her windows laptop, which spends all of
> its time so far sitting on her desk at home. She hasn't checked her
> webmail on a pc other than her laptop for the last 6 years as far as I
> know, but that can of course happen at any time.
>
> The webmail sessions have to be encrypted, she refuses to login to any
> account, if it doesn't have the lock icon, or if that lock icon
> doesn't look like it's supposed to. I know she'd also complain if
> internet explorer told her that there is a problem with a site's
> certificate every time she clicked a link to go to another page. So,
> to summarize, it has to go over https, even if it will just be over
> our wired lan, and ssl has to behave as it would for most other
> sites. Also, getting a commercial ssl certificate isn't an option, not
> at this point anyway.
>
> I am considering signing up with cacert.org, and getting a standard
> automatically signed certificate through their system, and importing
> their root cert on my mom's machine. However, cacert's emphasis is
> on authentication, (and rightly so). They even state on their site
> that their goal is to create a web of trust among all their users. On
> the other hand, I'm just interested in the encryption benefits of ssl
> in this case, and not in authentication.
>
> So, what I'm trying to decide is if it's worth it for me to sign up
> with cacert.org, thus getting a certificate signed by them, but in
> turn also being bound by responsibilities in their rather long, and
> many agreements, or if it would be a better idea, considering the
> circumstances, and my goal of encryption vs. authentication, to simply
> import my own root cert on my mother's machine. From what I've seen,
> importing a root cert into windows for a user isn't a walk in the
> park, whereas cacert has an activex control that will import their
> root cert. This however isn't a major deciding factor for me. The way
> I see it, given that my mom checks her mail on her laptop, I'm better
> off importing my own root cert on her machine. She would get
> complaints from internet explorer, if she ever checked her mail on
> another machine, but at this point in time, it would be the same with
> cacert's root certificate also. As for other users who currently have
> accounts on my system, getting a cacert-signed certificate would
> benefit them in the long run, but at this point, there are only a
> couple of people with accounts here, and none of them use webmail from
> what I've seen based on my apache logs.
>
> So, what I'm trying to settle on is if it's worth it for me to sign up
> with cacert, the way things stand now with their root cert,
> (especially given that I'm not interested in authentication, and
> wouldn't be interested in meeting up with someone else to verify me,
> or for me to verify them, if that's possible), or if I should just
> import my root cert on my mom's machine. Any thoughts which would
> contribute in helping me to decide one way or the other, especially
> pointing out anything I over looked, would be appreciated, and thanks
> in advance.
>
> Greg
>
>
> - -- 
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
>
> - --
> Free domains: http://www.eu.org/ or mail dns-manager at EU.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkrc9xYACgkQ7s9z/XlyUyClEwCdGInlyqKV+3xw4+hmC4/tX/yW
> CEsAn3tvBRHWgccG+QYAYRoEyzaFDNxy
> =i79e
> -----END PGP SIGNATURE-----
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
> 




More information about the Speakup mailing list