Educause Security Discussion mailing list archives

Re: SSL scaling

From: "Frazier, William S [ITSYS]" <frazier () IASTATE EDU>
Date: Wed, 15 Jun 2011 16:30:24 -0500

Be aware that many certificate providers are having to introduce new intermediate Cas in order to meet increasingly 
stringent security standards.  This is true of Comodo as well as others.  This means that an intermediate certificate 
may need to be installed on servers  and on client platforms that do not receive browser cert file updates.  Users of 
current browsers, however, do not need to do anything.

With the Comodo certs issued under the InCommon rubric, the intermediate is included in the certificate bundle for each 
cert issued.

Fees for the institution, by the way, are based on the Carnegie Classification and are a fixed annual amount not 
connected tmber of certs issued.

Bill
------------------------------------------------------------------
Bill Frazier                                 frazier () iastate edu
Unix OS, Apps, Evolving Technologies Lead   voice: (515) 294-8620
Iowa State University                        fax:   (515) 294-1717
Information Technology Services, 251 Durham, Ames, Iowa 50011-2251



From: Jay Fowler <fowler () CSUFRESNO EDU<mailto:fowler () CSUFRESNO EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Wed, 15 Jun 2011 15:40:46 -0500
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] SSL scaling



________________________________
From: "John Ladwig" <John.Ladwig () CSU MNSCU EDU<mailto:John.Ladwig () CSU MNSCU EDU>>
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Wednesday, June 15, 2011 12:33:28 PM
Subject: Re: [SECURITY] SSL scaling

InCommon seems to be operating as a reseller of Comodo certs, which implies that they may chain back to top-level CAs 
recognized by common browsers and operating systems.

I disremember what Ipsca offers, in terms of broad recognition.

It'd be a kindness if someone could refresh us on the need or absence of need to do local browser-cert installation to 
take advantage of these lower-cost services.

With InCommon, you log into their web site, submit the CSR and they email links to the signed, intermediate and root 
certs. The turn around time has been on the order of a few minutes to a couple hours. The intermediate cert is from 
InCommon, issued by Comodo. The application needing a certificate will need to know about the intermediate and possibly 
the root CA cert, but client browsers and operating systems seem to already have the root CA. And because clients have 
the root CA,  the end user is not being being prompted to install untrusted certs.

Jay

Current thread:

SSL scaling Michael A. Smith (Jun 15)
- Re: SSL scaling Julian Y Koh (Jun 15)
- Re: SSL scaling Jay Fowler (Jun 15)
- Re: SSL scaling Dexter Caldwell (Jun 15)
  - Re: SSL scaling John Ladwig (Jun 15)
    - Re: SSL scaling Flynn, Gary - flynngn (Jun 15)
    - Re: SSL scaling Jay Fowler (Jun 15)
    - Re: SSL scaling Frazier, William S [ITSYS] (Jun 15)
  - Re: SSL scaling Frazier, William S [ITSYS] (Jun 15)
    - Re: SSL scaling King, Ronald A. (Jun 15)
- Re: SSL scaling Jack Suess (Jun 15)
- Re: SSL scaling Hubert, Wesley R (Jun 16)
  - Re: SSL scaling Michael Fertig (Jun 17)
    - Re: SSL scaling Kevin Halgren (Jun 21)
  - Re: SSL scaling Jack Suess (Jun 17)
    - Re: SSL scaling Andy Hooper (Jun 20)