ssl certificate advice

Gregory Nowak greg at romuald.net.eu.org
Mon Oct 19 19:32:39 EDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all.

I thought I'd throw this out there, to see what kind of ideas I get
back, and if there are maybe enough of the same type of responses to
qualify as a majority consensus.

I'm setting up a webmail account for my mother on my server, and she's
transitioning from using webmail at a major ISP for the last 6 years
or so. She checks her mail on her windows laptop, which spends all of
its time so far sitting on her desk at home. She hasn't checked her
webmail on a pc other than her laptop for the last 6 years as far as I
know, but that can of course happen at any time. 

The webmail sessions have to be encrypted, she refuses to login to any
account, if it doesn't have the lock icon, or if that lock icon
doesn't look like it's supposed to. I know she'd also complain if
internet explorer told her that there is a problem with a site's
certificate every time she clicked a link to go to another page. So,
to summarize, it has to go over https, even if it will just be over
our wired lan, and ssl has to behave as it would for most other
sites. Also, getting a commercial ssl certificate isn't an option, not
at this point anyway.

I am considering signing up with cacert.org, and getting a standard
automatically signed certificate through their system, and importing
their root cert on my mom's machine. However, cacert's emphasis is
on authentication, (and rightly so). They even state on their site
that their goal is to create a web of trust among all their users. On
the other hand, I'm just interested in the encryption benefits of ssl
in this case, and not in authentication.

So, what I'm trying to decide is if it's worth it for me to sign up
with cacert.org, thus getting a certificate signed by them, but in
turn also being bound by responsibilities in their rather long, and
many agreements, or if it would be a better idea, considering the
circumstances, and my goal of encryption vs. authentication, to simply
import my own root cert on my mother's machine. From what I've seen,
importing a root cert into windows for a user isn't a walk in the
park, whereas cacert has an activex control that will import their
root cert. This however isn't a major deciding factor for me. The way
I see it, given that my mom checks her mail on her laptop, I'm better
off importing my own root cert on her machine. She would get
complaints from internet explorer, if she ever checked her mail on
another machine, but at this point in time, it would be the same with
cacert's root certificate also. As for other users who currently have
accounts on my system, getting a cacert-signed certificate would
benefit them in the long run, but at this point, there are only a
couple of people with accounts here, and none of them use webmail from
what I've seen based on my apache logs.

So, what I'm trying to settle on is if it's worth it for me to sign up
with cacert, the way things stand now with their root cert,
(especially given that I'm not interested in authentication, and
wouldn't be interested in meeting up with someone else to verify me,
or for me to verify them, if that's possible), or if I should just
import my root cert on my mom's machine. Any thoughts which would
contribute in helping me to decide one way or the other, especially
pointing out anything I over looked, would be appreciated, and thanks
in advance.

Greg


- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager at EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkrc9xYACgkQ7s9z/XlyUyClEwCdGInlyqKV+3xw4+hmC4/tX/yW
CEsAn3tvBRHWgccG+QYAYRoEyzaFDNxy
=i79e
-----END PGP SIGNATURE-----



More information about the Speakup mailing list