Domain: openca.org
Stories and comments across the archive that link to openca.org.
Comments · 12
-
Re:Man in the middle?
And for the record, OpenCA is all you need, although it's not super simple to use.
JigJag
-
Re:One Question
> But a self-signed cert is better than no cert so there certainly shouldn't be more
> stringent notifications than there are for completely unencrypted pages.This would be fine if self-signed certs also didn't show any encryption indicators. But people want to see those for some reason... Then you have to make it clear that they're not quite the same as the encrypted pages one is used to.
> open and free ca like https://www.openca.org/
They're free to ask to be included (which includes an audit that verifies that they in fact verify domain ownership). The process does take a little bit of time on everyone's part, of course.
-
Re:One Question
Not really, you can easily buy 'legitimate' certs certifying you are a company you have nothing to do with.
Certs don't verify you are talking to who you think you are in reality. Certs should verify you are talking to the DOMAIN you think you are. But a self-signed cert is better than no cert so there certainly shouldn't be more stringent notifications than there are for completely unencrypted pages. Further, open and free ca like https://www.openca.org/ should be in the root trust of the browser, since they verify domain ownership.
-
Domain only?
For all but the biggest transactions, most people couldn't care less about what the certificate says. Really, how many people check the certificate on, say, PayPal, to see that it's actually owned by them?
I'm all for breaking the monopoly of current root CAs, but for the most part, that's already being undertaken over at OpenCA, which is indeed trying to get included into major browsers. (Last I heard, they had problems with IE, but Mozilla and perhaps Apple were willing to let them try if they had several audits, among other things.)
Perhaps a better solution would be for Firefox 3 to detect self-signed certificates (separate from expired, or wrong-domain certificates) and warn the user that there's no good way to be sure that the people running the website are who they say they are, but that if all they want to do is connect and have an encrypted communication, have a simple (but slightly scary) button to proceed, once per session. That of course wouldn't protect against man-in-the-middle attacks, but that's the reason the root CA infrastructure is in place. Getting something like OpenCA in more browsers is probably the best (only?) fix for that. -
openCA anyone?
so, is anyone using openCA ?
How does it compare to other solutions metioned here?
- Microsoft PKI
- RH Certification System
- tyneCA
- phpCA -
Take a look at OpenCA
Take a look at the OpenCA project http://www.openca.org/ or http://sf.net/projects/openca/
-
Be your own CA serverI'm surprised that this isn't mentioned, but you can start up your very own CA server, complete with revokeable certs for your domain's webservers, mail servers, mail accounts and (yikes) signed software.
I know I did, and boy am I glad.
Never mind the naysayers of having your own CA, I benefited greatly, and so should you.
-
Re:At this point...
SSL itself isn't secure enough for me -- I have to trust VeriSign. So there are better ways of storing really sensitive information.
This is wrong on two levels:
- Verisign has nothing to do with the security of data transmitted using SSL, and the only thing you could ever trust them for is vetting the identity of the people whose certificate requests they sign. They never control your private keys, and you can operate an SSL site that has nothing whatsoever to do with verisign. Just set up your own CA.
- SSL is not used for "storing really sensitive information". You use SSL to encrypt data in transit, not for storage.
-
Re:Create own CA, don't just self-sign
Take a look at OpenCA
-
Not for web sites but for home at least ....
You could try OpenCA, the OpenSource Certification Authority Toolkit. I haven't tried it but I'm about to so I can create signed apps for my HA stuff. I don't want my wife to keep asking me if she should accept this or not.
--
Linux Home Automation
Neil Cherry
ncherry@comcast.net
http://mywebpages.comcast.net/ncherry/ -
Establishing your own CA
You can create a CA yourself fairly easily (see OpenCA for one example). The real problem is how to get your root certificate onto users' machines. In a "closed" environment, it's simple to install the root cert on all machines that may need it; in the more general case, even though it is simple to create a link that will install the root cert, persuading Joe User to push on past the scary messages is a different matter.
-
An Existing CA Project..
http://www.openca.org/
Check them out.
--