Educause Security Discussion mailing list archives

Re: SSL Certificates

From: Doug Hoffman <dhoffman () BLOOMU EDU>
Date: Wed, 18 Mar 2009 10:18:03 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've noticed that Opera (any platform) and Windows Mobile don't trust
ipsCA's root cert, as well.

Another downside to ipsCA is that their certs are chained - this may not
work well with certain servers and/or clients. One thing we've run in to
is lack of support for using chained certs with web auth on Cisco's WLAN
controllers.

We primarily use Thawte's SPKI for our certs, the exception being
non-production servers where we will temporarily use ipsCA certs.
Thawte's certs are unchained, signed directly off of Thawte's root cert
(so they play well will anything), and we have yet to find any client
that doesn't have their root cert in the trusted CA list. Their price
isn't great, but we don't have to worry about any compatibility issues.

:: Doug Hoffman, Network and Systems Administrator ::
:::::: Office of Technology / Network Services ::::::
::::::: Bloomsburg University of Pennsylvania :::::::
::::::: +1.570.389.4759 / dhoffman () bloomu edu :::::::

Eric Torgersen wrote:

In addition to the root CA expiration issue, I have noticed that Java
doesn't ship with IPSCA included as a trusted CA.  This can be an issue
for a Java applet that makes an SSL connection back to the web server.

Eric

----------------------------------------------------------
     Eric Torgersen        Information Technology Services
Unix System Administrator  The University @ Albany
     eric () albany edu       1400 Washington Ave
     (518) 437-3665        Albany, NY 12222
----------------------------------------------------------


On Wed, 18 Mar 2009, Brian Epstein wrote:

Security,

      The only thing holding us back from IPSCA is that their Root CA expires
12/29/2009.  I wasn't sure what was going to happen afterward.  Does
anyone know if this CA has been updated?

      Instead, we decided to go with ssldirect.com.  If you sign up as a
reseller, you can get SSL Certs for $11.95/year.  At this price, we
could afford to start using them on many more services.

Thanks,
ep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJJwQKbAAoJELeRhFYdIl1wskAH/2eDFTkBZXlOk1hWp4e1GSfB
N8aMJ2VIE3E7FND6aftMZmCkoxOnlP6eLa6D2LKtQGNI1ESIZ1O5IA2Y5ABjAIDi
q5bCwMcKwOnqnQQ8La+tWaCotvugGoZN086Yr0G2ujm0i/XayLIJ3wm1VSJOKU6h
NEewC3tTRlUcuUoKMeNDxGfU1Cwke5i2//7CFrNbJj8IWvrjTUl7bxCoq2XC9U7y
d5vhbLsyWeKO5evWNLDvAZSihXOJkluWzcgPhg7HeYg4DzKkQTaSJVP6rAMX+cW5
s1zZwdzkT/kGSm90L65LuckZUwPTHrkN0oMhnOH2O3VmEw+GkTPvX7m2esmzHEI=
=7IE4
-----END PGP SIGNATURE-----

Current thread:

SSL Certificates Mclaughlin, Kevin (mclaugkl) (Mar 17)
- <Possible follow-ups>
- Re: SSL Certificates Rowe, Ken (Mar 17)
- Re: SSL Certificates Jeff Giacobbe (Mar 17)
- Re: SSL Certificates Consolvo, Corbett D (Mar 17)
- Re: SSL Certificates John Ladwig (Mar 17)
- Re: SSL Certificates Gary Flynn (Mar 18)
- Re: SSL Certificates Brian Epstein (Mar 18)
- Re: SSL Certificates Ryan Fox (Mar 18)
- Re: SSL Certificates Charlie Prothero (Mar 18)
- Re: SSL Certificates Eric Torgersen (Mar 18)
- Re: SSL Certificates Doug Hoffman (Mar 18)
- Re: SSL Certificates Steven Tardy (Mar 18)
- Re: SSL Certificates Cal Frye (Mar 19)