Educause Security Discussion mailing list archives
Re: Seeking RFP text for server and messaging cert mgmt services
From: Elliot Metsger <emetsger () JHU EDU>
Date: Mon, 14 Jun 2004 23:02:05 -0700
Jere, Jere Retzer wrote:
Good points, but why would you want a user to trust ABA, Autoridad, Baltimore, Belgicom (he asks just reading down the list of root CAs that comes with IE) more than Notre Dame? The idea that we should ask our users to trust some company no one has heard of more than their university seems a bit upside down, doesn't it?
Sure - for applications that face inward to the institution that makes sense. But then in that case the institution now has to manage a PKI, which puts a concrete figure on "how much is security worth?" It would also require efforts on the parts of the IT shops in the institution put the root certs on their desktop images.
And how good are the controls over what gets into the browser anyway?
Good question. My guess is, if a vendor can pay enough money you'll get your signing certs into the browser's list and be "trusted". :)
dobbins () ND EDU 6/15/2004 6:05:32 PM >>>As we work to raise user awareness of security, one of the guidelines commonly given is to not accept certs that the browser doesn't already trust. That's a coarse-grained advice, for sure, but training them to at least be suspicious is a starting point. So, conveying how and when to differentiate between root-signed and "self-signed" certs is a challenge for non-technical users - they want one rule for every case. That, and sometimes it's not clear to all end-users how to import a new root into, say, Thunderbird mail. So, they either get angry, or we dilute the "don't accept questionable certs" training. Maybe someday, when the PK mechanism is better understood by the end-user populace.... Jere Retzer wrote:True, but is not appearing in the Microsoft-distributed list abarrier?Most folks are pretty casual about accepting certificates. If youcan'ttrust ND, then who can you trust (except in football, of course)?
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Seeking RFP text for server and messaging cert mgmt services Gary Dobbins (Jun 14)
- <Possible follow-ups>
- Re: Seeking RFP text for server and messaging cert mgmt services Bill Kyle (Jun 14)
- Re: Seeking RFP text for server and messaging cert mgmt services Elliot Metsger (Jun 14)
- Re: Seeking RFP text for server and messaging cert mgmt services Elliot Metsger (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Bill Frazier (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Mike Wiseman (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Jere Retzer (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Larry Jennings (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Mike Wiseman (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Gary Dobbins (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Jere Retzer (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Larry Jennings (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Antivirus Administrator (Jun 15)
(Thread continues...)