Re: SSL Certificates

[Gary Flynn <flynngn () JMU EDU>]

Jeff Giacobbe wrote:
> Colleagues-
>
>
> We routinely use ipsCA SSL certificates for our production (and test)
> web servers. The company offers -free- SSL certs to .edu domains,

Jeff,

Are they free only the first two years or continuously? ( Not that two
years of saving money wouldn't be very welcome right now :)

 and
> they are every bit as good as Verisign, Thawte, GeoTrust, GoDaddy, etc,
>  certificates that often cost hundreds of dollars.

A certificate is a certificate. What counts are the policies and
procedures a CA uses. Unfortunately, the Certificate Practice
Statement they make available on their web site is in Spanish.
Anyone have an English copy?

The only thing I can find on their web site is this:

" ipsCA will verify the certificate information as follows:
  -  Checking the applicant’s domain name using a public domain
     name registry.
  - Checking the applicant’s company name, the address and the
    telephone number using information from an independent third
    party business database.
  If the applicant’s company name cannot be validated, fax
  documentation will be needed.
  All certificate requests must contain an Organization Name which
  must be the same as the owner of the domain as appears in the
  public domain name registry."

Can anyone comment about how those practices compare to other
CAs?

We use the Thawte PKI program for most certificates and have used
Verisign for special purpose certificates. If I remember correctly,
there was quite a bit of back and forth verification communications
during the setup of the Thawte program and quite a bit of back and
forth verification communcations when each Verisign certificate was
issued or renewed.

I guess the worse thing that could happen is something that requires
your server certificates to be revoked. Well, loss of a CA private
key or their erroneous issuance of a certificate for your domain
would be worse but you'd be affected by that whether you are a
customer of the affected CA or not.

Free certs would certainly save us a lot of money. Anyone see
significant risk in this?


 It's a no-brainer IMHO.
> A few years ago there was some issue with older browsers (IE < 5.0,
> Mozilla, Safari 1.0) not having the ipsCA root cert built-in, but these
> days there is near 100% compatibility across all browsers.

What keeps them from being 100%? Can you give us some examples
of problems that still occur? Can the problems be solved simply
by having the clients import their CA certificates?

> As to the original posters question, I'm not sure why someone at a .edu
> would apply for a "trial" ipsCA cert when they can get a production one
> for free.

Agree.



--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature