From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-px0-f187.google.com (mail-px0-f187.google.com [209.85.216.187]) by speech.braille.uwo.ca (Postfix) with ESMTP id 79E5610BD4 for ; Mon, 19 Oct 2009 19:41:32 -0400 (EDT) Received: by pxi17 with SMTP id 17so3292926pxi.21 for ; Mon, 19 Oct 2009 16:41:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:mail-followup-to:references:mime-version:content-type :content-disposition:in-reply-to:user-agent; bh=n5Q0SJBqkA2JHUyyvtLopnF8R9lYPyfm7Sag8ZX1T+g=; b=K0dH2QN0tqfGzXDkFRniu3hJUYNHjbwH97wIB/hVOZ5IwLmdNkSYo+fEgOcZ5+sdwb dVcII6pZUHWB0QIUjv347sdj77EegEj/GCUfJaNm1XY9gPzkvpc5IXekO+f6Ko/PNhmy whvfCCPXvphZil7xwJbXGzW5aI9rqVJ5dXU04= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:mail-followup-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; b=TiX9h8sdiT/uY8vPM0pzDRlCGilQwNs9tyN+bTJQEq0LKDWOQ9xsnNX+EJ+Lfd0Y25 Y4GyQKMRvsInXi6q2NzkhkE63gTQlgJF01rJaePMMFW2LeBWrTy/eKLvxcxbyi4i6Cja I/qsGeET6nUCwwX7oWZHN0n3Pu/VJtawRQq1w= Received: by 10.115.102.38 with SMTP id e38mr7562928wam.207.1255995689649; Mon, 19 Oct 2009 16:41:29 -0700 (PDT) Received: from localhost (128-193-247-73.resnet.oregonstate.edu [128.193.247.73]) by mx.google.com with ESMTPS id 20sm173630pxi.3.2009.10.19.16.41.29 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 19 Oct 2009 16:41:29 -0700 (PDT) Date: Mon, 19 Oct 2009 16:41:28 -0700 From: Zachary Kline To: "Speakup is a screen review system for Linux." Subject: Re: ssl certificate advice Message-ID: <20091019234128.GA29121@blackbird> Mail-Followup-To: "Speakup is a screen review system for Linux." References: <20091019233238.GA15735@romuald.net.eu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20091019233238.GA15735@romuald.net.eu.org> User-Agent: Mutt/1.5.20 (2009-06-14) X-BeenThere: speakup@braille.uwo.ca X-Mailman-Version: 2.1.12 Precedence: list Reply-To: "Speakup is a screen review system for Linux." List-Id: "Speakup is a screen review system for Linux." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Oct 2009 23:41:32 -0000 Hi Greg, I'm not all that familiar with SSL, so this is a relatively unconsidered opinion. Personally, I'd think it'd probably be easier for you to import your own root certificate on her laptop. From the sound of things, the odds of her checking webmail from another pc are not very high. More over, you get to use the certificate however you like, in your case for encryption without so many strings attached. All the best, Zack. On Mon, Oct 19, 2009 at 04:32:39PM -0700, Gregory Nowak wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all. > > I thought I'd throw this out there, to see what kind of ideas I get > back, and if there are maybe enough of the same type of responses to > qualify as a majority consensus. > > I'm setting up a webmail account for my mother on my server, and she's > transitioning from using webmail at a major ISP for the last 6 years > or so. She checks her mail on her windows laptop, which spends all of > its time so far sitting on her desk at home. She hasn't checked her > webmail on a pc other than her laptop for the last 6 years as far as I > know, but that can of course happen at any time. > > The webmail sessions have to be encrypted, she refuses to login to any > account, if it doesn't have the lock icon, or if that lock icon > doesn't look like it's supposed to. I know she'd also complain if > internet explorer told her that there is a problem with a site's > certificate every time she clicked a link to go to another page. So, > to summarize, it has to go over https, even if it will just be over > our wired lan, and ssl has to behave as it would for most other > sites. Also, getting a commercial ssl certificate isn't an option, not > at this point anyway. > > I am considering signing up with cacert.org, and getting a standard > automatically signed certificate through their system, and importing > their root cert on my mom's machine. However, cacert's emphasis is > on authentication, (and rightly so). They even state on their site > that their goal is to create a web of trust among all their users. On > the other hand, I'm just interested in the encryption benefits of ssl > in this case, and not in authentication. > > So, what I'm trying to decide is if it's worth it for me to sign up > with cacert.org, thus getting a certificate signed by them, but in > turn also being bound by responsibilities in their rather long, and > many agreements, or if it would be a better idea, considering the > circumstances, and my goal of encryption vs. authentication, to simply > import my own root cert on my mother's machine. From what I've seen, > importing a root cert into windows for a user isn't a walk in the > park, whereas cacert has an activex control that will import their > root cert. This however isn't a major deciding factor for me. The way > I see it, given that my mom checks her mail on her laptop, I'm better > off importing my own root cert on her machine. She would get > complaints from internet explorer, if she ever checked her mail on > another machine, but at this point in time, it would be the same with > cacert's root certificate also. As for other users who currently have > accounts on my system, getting a cacert-signed certificate would > benefit them in the long run, but at this point, there are only a > couple of people with accounts here, and none of them use webmail from > what I've seen based on my apache logs. > > So, what I'm trying to settle on is if it's worth it for me to sign up > with cacert, the way things stand now with their root cert, > (especially given that I'm not interested in authentication, and > wouldn't be interested in meeting up with someone else to verify me, > or for me to verify them, if that's possible), or if I should just > import my root cert on my mom's machine. Any thoughts which would > contribute in helping me to decide one way or the other, especially > pointing out anything I over looked, would be appreciated, and thanks > in advance. > > Greg > > > - -- > web site: http://www.romuald.net.eu.org > gpg public key: http://www.romuald.net.eu.org/pubkey.asc > skype: gregn1 > (authorization required, add me to your contacts list first) > > - -- > Free domains: http://www.eu.org/ or mail dns-manager@EU.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkrc9xYACgkQ7s9z/XlyUyClEwCdGInlyqKV+3xw4+hmC4/tX/yW > CEsAn3tvBRHWgccG+QYAYRoEyzaFDNxy > =i79e > -----END PGP SIGNATURE----- > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup