Educause Security Discussion mailing list archives

Re: SSL scaling

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Wed, 15 Jun 2011 14:33:28 -0500

InCommon seems to be operating as a reseller of Comodo certs, which implies that they may chain back to top-level CAs 
recognized by common browsers and operating systems.

I disremember what Ipsca offers, in terms of broad recognition.

It'd be a kindness if someone could refresh us on the need or absence of need to do local browser-cert installation to 
take advantage of these lower-cost services.


Also, anyone who is interested in CAs and PKI in general should familiarize themselves with the work published by Chris 
Palmer in relation to the EFF's SSL Observatory project.  Some of their findings are... dismaying.

  https://www.eff.org/deeplinks/2011/04/fully-qualified-nonsense-ssl-observatory 
  https://www.eff.org/deeplinks/2011/04/unqualified-names-ssl-observatory 

  https://www.eff.org/observatory

   -jml

Dexter Caldwell <Dexter.Caldwell () FURMAN EDU> 2011-06-15 14:12 >>>


You could consider Ipsca's free for 2yr certs for education or some other
cheap vendor.   Or you can consider wildcards ir your own pki.   The
latter of course is a whole other issue to manage.
Dexter

The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:

We currently use a vended managed PKI portal that allows us to issue SSL
certs to internal customers when they roll out a website, but its costs
increase almost linearly with the size of our web portfolio. With the way
the web is moving, I don't think this linear growth is sustainable. What
solutions are in place and recommended among small to medium institutions
for managing SSL certificates? Is a wild card cert the only way to manage
this growth?

I confess when I first moved to Higher Ed I was surprised to find that
Educause itself doesn't operate in the CA space. After it has vetted an
institution for a .edu domain, the process for validating that
institution's identity is already shortcut, is it not?

(I apologize if this is a FAQ. I've been unable to access the
listserve.educause.edu site to research the archives for some reason.)

Best wishes,
Michael A. Smith
Web & Digital / Academic Technologies Manager
Nazareth College

Current thread:

SSL scaling Michael A. Smith (Jun 15)
- Re: SSL scaling Julian Y Koh (Jun 15)
- Re: SSL scaling Jay Fowler (Jun 15)
- Re: SSL scaling Dexter Caldwell (Jun 15)
  - Re: SSL scaling John Ladwig (Jun 15)
    - Re: SSL scaling Flynn, Gary - flynngn (Jun 15)
    - Re: SSL scaling Jay Fowler (Jun 15)
    - Re: SSL scaling Frazier, William S [ITSYS] (Jun 15)
  - Re: SSL scaling Frazier, William S [ITSYS] (Jun 15)
    - Re: SSL scaling King, Ronald A. (Jun 15)
- Re: SSL scaling Jack Suess (Jun 15)
- Re: SSL scaling Hubert, Wesley R (Jun 16)
  - Re: SSL scaling Michael Fertig (Jun 17)
    - Re: SSL scaling Kevin Halgren (Jun 21)
  - Re: SSL scaling Jack Suess (Jun 17)

(Thread continues...)