Re: SSL scaling

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

-----Original Message-----
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
Date: Wed, 15 Jun 2011 14:33:28 -0500
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] SSL scaling

> InCommon seems to be operating as a reseller of Comodo certs, which
> implies that they may chain back to top-level CAs recognized by common
> browsers and operating systems.

That is correct. And for one low price, you get unlimited server (simple,
SAN, and EV), user (S/MIME/Auth/Encryption), and code signing certs signed
by a CA included in most products. Top level cert is already included in
browsers. And I suspect having a common Incommon intermediate cert and
policies is going to have collaboration advantages at some point in the
future.



> I disremember what Ipsca offers, in terms of broad recognition.
>
> It'd be a kindness if someone could refresh us on the need or absence of
> need to do local browser-cert installation to take advantage of these
> lower-cost services.
>
>
> Also, anyone who is interested in CAs and PKI in general should
> familiarize themselves with the work published by Chris Palmer in
> relation to the EFF's SSL Observatory project.  Some of their findings
> are... dismaying.
>
>  
> https://www.eff.org/deeplinks/2011/04/fully-qualified-nonsense-ssl-observa
> tory 
>  https://www.eff.org/deeplinks/2011/04/unqualified-names-ssl-observatory
>
>  https://www.eff.org/observatory
>
>   -jml
>
> > > > Dexter Caldwell <Dexter.Caldwell () FURMAN EDU> 2011-06-15 14:12 >>>
>
> You could consider Ipsca's free for 2yr certs for education or some other
> cheap vendor.   Or you can consider wildcards ir your own pki.   The
> latter of course is a whole other issue to manage.
> Dexter
>
> The EDUCAUSE Security Constituent Group Listserv
> <SECURITY () LISTSERV EDUCAUSE EDU> writes:
> > We currently use a vended managed PKI portal that allows us to issue SSL
> > certs to internal customers when they roll out a website, but its costs
> > increase almost linearly with the size of our web portfolio. With the way
> > the web is moving, I don't think this linear growth is sustainable. What
> > solutions are in place and recommended among small to medium institutions
> > for managing SSL certificates? Is a wild card cert the only way to manage
> > this growth?
> >
> > I confess when I first moved to Higher Ed I was surprised to find that
> > Educause itself doesn't operate in the CA space. After it has vetted an
> > institution for a .edu domain, the process for validating that
> > institution's identity is already shortcut, is it not?
> >
> > (I apologize if this is a FAQ. I've been unable to access the
> > listserve.educause.edu site to research the archives for some reason.)
> >
> > Best wishes,
> > Michael A. Smith
> > Web & Digital / Academic Technologies Manager
> > Nazareth College


-- 
Gary Flynn

Security Engineer
James Madison University

Attachment: smime.p7s
Description: