Educause Security Discussion mailing list archives

Re: SSL Certificates

From: "Consolvo, Corbett D" <cc72 () TXSTATE EDU>
Date: Tue, 17 Mar 2009 19:18:03 -0500

We have also migrated to almost all IPSCA certificates and have had no issues.

Corbett Consolvo
Texas State University

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Giacobbe 
[giacobbej () MAIL MONTCLAIR EDU]
Sent: Tuesday, March 17, 2009 6:53 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] SSL Certificates

Colleagues-

We routinely use ipsCA SSL certificates for our production (and test)
web servers. The company offers -free- SSL certs to .edu domains, and
they are every bit as good as Verisign, Thawte, GeoTrust, GoDaddy, etc,
 certificates that often cost hundreds of dollars. It's a no-brainer IMHO.

A few years ago there was some issue with older browsers (IE < 5.0,
Mozilla, Safari 1.0) not having the ipsCA root cert built-in, but these
days there is near 100% compatibility across all browsers.

As to the original posters question, I'm not sure why someone at a .edu
would apply for a "trial" ipsCA cert when they can get a production one
for free.

Regards,

Jeff Giacobbe
Montclair State University

Rowe, Ken wrote, On 3/17/09 7:11 PM:

Web servers running in operational (not development) environment must
have an official certificate. We would not allow a trial certificate,
especially when dealing with (HIPAA-restricted?) sensitive data.

Ken. == Ken Rowe Director of Enterprise Systems Assurance and
Information Security University Office of Administrative Information
Technology Services University of Illinois 50 Gerty Drive, MC-673
Champaign, IL 61820 E kenrowe () uillinois edu O 217.265.0415 F
217.333.6991 -----Original Message----- From: The EDUCAUSE Security
Constituent Group Listserv on behalf of Mclaughlin, Kevin (mclaugkl)
Sent: Tue 3/17/2009 2:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] SSL Certificates

How are the rest of you dealing with this type of request?  Are there
any inherent risks with approving these types of requests?

===============================================================
Hello, Kevin Mclaughlin,

I am sending this email to ask your help in the approval of our trial
SSL certificate application.

We have applied a trial SSL certificate from ipsCA
(http://certs.ipsca.com<http://certs.ipsca.com/>) for our web site
http://XXX<http://xxx/>, which will provide online clinical data
collection function for Translational research

=====================================================================
 Thanks, -Kevin

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master
Certified Assistant Vice President, Information Security & Special
Projects University of Cincinnati 513-556-9177

Current thread:

SSL Certificates Mclaughlin, Kevin (mclaugkl) (Mar 17)
- <Possible follow-ups>
- Re: SSL Certificates Rowe, Ken (Mar 17)
- Re: SSL Certificates Jeff Giacobbe (Mar 17)
- Re: SSL Certificates Consolvo, Corbett D (Mar 17)
- Re: SSL Certificates John Ladwig (Mar 17)
- Re: SSL Certificates Gary Flynn (Mar 18)
- Re: SSL Certificates Brian Epstein (Mar 18)
- Re: SSL Certificates Ryan Fox (Mar 18)
- Re: SSL Certificates Charlie Prothero (Mar 18)
- Re: SSL Certificates Eric Torgersen (Mar 18)
- Re: SSL Certificates Doug Hoffman (Mar 18)
- Re: SSL Certificates Steven Tardy (Mar 18)
- Re: SSL Certificates Cal Frye (Mar 19)