Educause Security Discussion mailing list archives
Re: SSL Certificates
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 18 Mar 2009 08:12:03 -0400
Jeff Giacobbe wrote:
Colleagues- We routinely use ipsCA SSL certificates for our production (and test) web servers. The company offers -free- SSL certs to .edu domains,
Jeff, Are they free only the first two years or continuously? ( Not that two years of saving money wouldn't be very welcome right now :) and
they are every bit as good as Verisign, Thawte, GeoTrust, GoDaddy, etc, certificates that often cost hundreds of dollars.
A certificate is a certificate. What counts are the policies and procedures a CA uses. Unfortunately, the Certificate Practice Statement they make available on their web site is in Spanish. Anyone have an English copy? The only thing I can find on their web site is this: " ipsCA will verify the certificate information as follows: - Checking the applicant’s domain name using a public domain name registry. - Checking the applicant’s company name, the address and the telephone number using information from an independent third party business database. If the applicant’s company name cannot be validated, fax documentation will be needed. All certificate requests must contain an Organization Name which must be the same as the owner of the domain as appears in the public domain name registry." Can anyone comment about how those practices compare to other CAs? We use the Thawte PKI program for most certificates and have used Verisign for special purpose certificates. If I remember correctly, there was quite a bit of back and forth verification communications during the setup of the Thawte program and quite a bit of back and forth verification communcations when each Verisign certificate was issued or renewed. I guess the worse thing that could happen is something that requires your server certificates to be revoked. Well, loss of a CA private key or their erroneous issuance of a certificate for your domain would be worse but you'd be affected by that whether you are a customer of the affected CA or not. Free certs would certainly save us a lot of money. Anyone see significant risk in this? It's a no-brainer IMHO.
A few years ago there was some issue with older browsers (IE < 5.0, Mozilla, Safari 1.0) not having the ipsCA root cert built-in, but these days there is near 100% compatibility across all browsers.
What keeps them from being 100%? Can you give us some examples of problems that still occur? Can the problems be solved simply by having the clients import their CA certificates?
As to the original posters question, I'm not sure why someone at a .edu would apply for a "trial" ipsCA cert when they can get a production one for free.
Agree. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- SSL Certificates Mclaughlin, Kevin (mclaugkl) (Mar 17)
- <Possible follow-ups>
- Re: SSL Certificates Rowe, Ken (Mar 17)
- Re: SSL Certificates Jeff Giacobbe (Mar 17)
- Re: SSL Certificates Consolvo, Corbett D (Mar 17)
- Re: SSL Certificates John Ladwig (Mar 17)
- Re: SSL Certificates Gary Flynn (Mar 18)
- Re: SSL Certificates Brian Epstein (Mar 18)
- Re: SSL Certificates Ryan Fox (Mar 18)
- Re: SSL Certificates Charlie Prothero (Mar 18)
- Re: SSL Certificates Eric Torgersen (Mar 18)
- Re: SSL Certificates Doug Hoffman (Mar 18)
- Re: SSL Certificates Steven Tardy (Mar 18)
- Re: SSL Certificates Cal Frye (Mar 19)