ssl certificate advice

ssl certificate advice

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all.

I thought I'd throw this out there, to see what kind of ideas I get
back, and if there are maybe enough of the same type of responses to
qualify as a majority consensus.

I'm setting up a webmail account for my mother on my server, and she's
transitioning from using webmail at a major ISP for the last 6 years
or so. She checks her mail on her windows laptop, which spends all of
its time so far sitting on her desk at home. She hasn't checked her
webmail on a pc other than her laptop for the last 6 years as far as I
know, but that can of course happen at any time. 

The webmail sessions have to be encrypted, she refuses to login to any
account, if it doesn't have the lock icon, or if that lock icon
doesn't look like it's supposed to. I know she'd also complain if
internet explorer told her that there is a problem with a site's
certificate every time she clicked a link to go to another page. So,
to summarize, it has to go over https, even if it will just be over
our wired lan, and ssl has to behave as it would for most other
sites. Also, getting a commercial ssl certificate isn't an option, not
at this point anyway.

I am considering signing up with cacert.org, and getting a standard
automatically signed certificate through their system, and importing
their root cert on my mom's machine. However, cacert's emphasis is
on authentication, (and rightly so). They even state on their site
that their goal is to create a web of trust among all their users. On
the other hand, I'm just interested in the encryption benefits of ssl
in this case, and not in authentication.

So, what I'm trying to decide is if it's worth it for me to sign up
with cacert.org, thus getting a certificate signed by them, but in
turn also being bound by responsibilities in their rather long, and
many agreements, or if it would be a better idea, considering the
circumstances, and my goal of encryption vs. authentication, to simply
import my own root cert on my mother's machine. From what I've seen,
importing a root cert into windows for a user isn't a walk in the
park, whereas cacert has an activex control that will import their
root cert. This however isn't a major deciding factor for me. The way
I see it, given that my mom checks her mail on her laptop, I'm better
off importing my own root cert on her machine. She would get
complaints from internet explorer, if she ever checked her mail on
another machine, but at this point in time, it would be the same with
cacert's root certificate also. As for other users who currently have
accounts on my system, getting a cacert-signed certificate would
benefit them in the long run, but at this point, there are only a
couple of people with accounts here, and none of them use webmail from
what I've seen based on my apache logs.

So, what I'm trying to settle on is if it's worth it for me to sign up
with cacert, the way things stand now with their root cert,
(especially given that I'm not interested in authentication, and
wouldn't be interested in meeting up with someone else to verify me,
or for me to verify them, if that's possible), or if I should just
import my root cert on my mom's machine. Any thoughts which would
contribute in helping me to decide one way or the other, especially
pointing out anything I over looked, would be appreciated, and thanks
in advance.

Greg


- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkrc9xYACgkQ7s9z/XlyUyClEwCdGInlyqKV+3xw4+hmC4/tX/yW
CEsAn3tvBRHWgccG+QYAYRoEyzaFDNxy
=i79e
-----END PGP SIGNATURE-----

Re: ssl certificate advice

[Zachary Kline]

Hi Greg,
I'm not all that familiar with SSL, so this is a relatively unconsidered
opinion.  
Personally, I'd think it'd probably be easier for you to import your own
root certificate on her laptop.  From the sound of things, the odds of
her checking webmail from another pc are not very high.  More over, you
get to use the certificate however you like, in your case for encryption
without so many strings attached.
All the best,
Zack.
On Mon, Oct 19, 2009 at 04:32:39PM -0700, Gregory Nowak wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi all.
> 
> I thought I'd throw this out there, to see what kind of ideas I get
> back, and if there are maybe enough of the same type of responses to
> qualify as a majority consensus.
> 
> I'm setting up a webmail account for my mother on my server, and she's
> transitioning from using webmail at a major ISP for the last 6 years
> or so. She checks her mail on her windows laptop, which spends all of
> its time so far sitting on her desk at home. She hasn't checked her
> webmail on a pc other than her laptop for the last 6 years as far as I
> know, but that can of course happen at any time. 
> 
> The webmail sessions have to be encrypted, she refuses to login to any
> account, if it doesn't have the lock icon, or if that lock icon
> doesn't look like it's supposed to. I know she'd also complain if
> internet explorer told her that there is a problem with a site's
> certificate every time she clicked a link to go to another page. So,
> to summarize, it has to go over https, even if it will just be over
> our wired lan, and ssl has to behave as it would for most other
> sites. Also, getting a commercial ssl certificate isn't an option, not
> at this point anyway.
> 
> I am considering signing up with cacert.org, and getting a standard
> automatically signed certificate through their system, and importing
> their root cert on my mom's machine. However, cacert's emphasis is
> on authentication, (and rightly so). They even state on their site
> that their goal is to create a web of trust among all their users. On
> the other hand, I'm just interested in the encryption benefits of ssl
> in this case, and not in authentication.
> 
> So, what I'm trying to decide is if it's worth it for me to sign up
> with cacert.org, thus getting a certificate signed by them, but in
> turn also being bound by responsibilities in their rather long, and
> many agreements, or if it would be a better idea, considering the
> circumstances, and my goal of encryption vs. authentication, to simply
> import my own root cert on my mother's machine. From what I've seen,
> importing a root cert into windows for a user isn't a walk in the
> park, whereas cacert has an activex control that will import their
> root cert. This however isn't a major deciding factor for me. The way
> I see it, given that my mom checks her mail on her laptop, I'm better
> off importing my own root cert on her machine. She would get
> complaints from internet explorer, if she ever checked her mail on
> another machine, but at this point in time, it would be the same with
> cacert's root certificate also. As for other users who currently have
> accounts on my system, getting a cacert-signed certificate would
> benefit them in the long run, but at this point, there are only a
> couple of people with accounts here, and none of them use webmail from
> what I've seen based on my apache logs.
> 
> So, what I'm trying to settle on is if it's worth it for me to sign up
> with cacert, the way things stand now with their root cert,
> (especially given that I'm not interested in authentication, and
> wouldn't be interested in meeting up with someone else to verify me,
> or for me to verify them, if that's possible), or if I should just
> import my root cert on my mom's machine. Any thoughts which would
> contribute in helping me to decide one way or the other, especially
> pointing out anything I over looked, would be appreciated, and thanks
> in advance.
> 
> Greg
> 
> 
> - -- 
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
> 
> - --
> Free domains: http://www.eu.org/ or mail dns-manager@EU.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> 
> iEYEARECAAYFAkrc9xYACgkQ7s9z/XlyUyClEwCdGInlyqKV+3xw4+hmC4/tX/yW
> CEsAn3tvBRHWgccG+QYAYRoEyzaFDNxy
> =i79e
> -----END PGP SIGNATURE-----
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: ssl certificate advice

[Tony Baechler]

Hi,

I would go with Rapid SSL.  They are commercial but they're cheap.  I 
think they're around $13 USD per year.  You could also sign up for a 
really cheap web hosting account and maybe borrow their cert, depending 
on what host you pick.  We had a situation with a small business who 
didn't want to pay a fortune for a cert but needed encryption for 
assignment forms.  Rather than have a self-signed cert which would cause 
warnings to come up, we went with them.  They worked fine and did the 
job.  We're actually still using that cert even though the business 
dropped their own private server.  I'm pretty sure it was $39 for three 
years, but that could be off.  I'm also thinking that prices might have 
dropped, so definitely shop around first.  Their site is a bit confusing 
and leaves a little to be desired in terms of accessibility, but it 
isn't too bad and probably wouldn't require importing a new root cert.  
http://www.rapidssl.com/  There are two of them, one is significantly 
more expensive and requiring a phone call or some such.  You want the 
other one that's cheaper and just requires filling out a form and 
providing a valid email address.  I don't remember how to get there, 
unfortunately.  If you have questions, write off-list if you want.  It's 
fairly simple to import into Apache, but I didn't get pop3s working.

Re: ssl certificate advice

[John G. Heim]

Personally, I think signing up at cacert.org is worth the trouble. You get 
that out of the way and from then on generating and keeping track of your 
certificates is a breeze. If you need to reinstall a cert, it's right there 
on their web site.

----- Original Message ----- 
From: "Gregory Nowak" <greg@romuald.net.eu.org>
To: <speakup@braille.uwo.ca>
Sent: Monday, October 19, 2009 6:32 PM
Subject: ssl certificate advice


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all.
>
> I thought I'd throw this out there, to see what kind of ideas I get
> back, and if there are maybe enough of the same type of responses to
> qualify as a majority consensus.
>
> I'm setting up a webmail account for my mother on my server, and she's
> transitioning from using webmail at a major ISP for the last 6 years
> or so. She checks her mail on her windows laptop, which spends all of
> its time so far sitting on her desk at home. She hasn't checked her
> webmail on a pc other than her laptop for the last 6 years as far as I
> know, but that can of course happen at any time.
>
> The webmail sessions have to be encrypted, she refuses to login to any
> account, if it doesn't have the lock icon, or if that lock icon
> doesn't look like it's supposed to. I know she'd also complain if
> internet explorer told her that there is a problem with a site's
> certificate every time she clicked a link to go to another page. So,
> to summarize, it has to go over https, even if it will just be over
> our wired lan, and ssl has to behave as it would for most other
> sites. Also, getting a commercial ssl certificate isn't an option, not
> at this point anyway.
>
> I am considering signing up with cacert.org, and getting a standard
> automatically signed certificate through their system, and importing
> their root cert on my mom's machine. However, cacert's emphasis is
> on authentication, (and rightly so). They even state on their site
> that their goal is to create a web of trust among all their users. On
> the other hand, I'm just interested in the encryption benefits of ssl
> in this case, and not in authentication.
>
> So, what I'm trying to decide is if it's worth it for me to sign up
> with cacert.org, thus getting a certificate signed by them, but in
> turn also being bound by responsibilities in their rather long, and
> many agreements, or if it would be a better idea, considering the
> circumstances, and my goal of encryption vs. authentication, to simply
> import my own root cert on my mother's machine. From what I've seen,
> importing a root cert into windows for a user isn't a walk in the
> park, whereas cacert has an activex control that will import their
> root cert. This however isn't a major deciding factor for me. The way
> I see it, given that my mom checks her mail on her laptop, I'm better
> off importing my own root cert on her machine. She would get
> complaints from internet explorer, if she ever checked her mail on
> another machine, but at this point in time, it would be the same with
> cacert's root certificate also. As for other users who currently have
> accounts on my system, getting a cacert-signed certificate would
> benefit them in the long run, but at this point, there are only a
> couple of people with accounts here, and none of them use webmail from
> what I've seen based on my apache logs.
>
> So, what I'm trying to settle on is if it's worth it for me to sign up
> with cacert, the way things stand now with their root cert,
> (especially given that I'm not interested in authentication, and
> wouldn't be interested in meeting up with someone else to verify me,
> or for me to verify them, if that's possible), or if I should just
> import my root cert on my mom's machine. Any thoughts which would
> contribute in helping me to decide one way or the other, especially
> pointing out anything I over looked, would be appreciated, and thanks
> in advance.
>
> Greg
>
>
> - -- 
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
>
> - --
> Free domains: http://www.eu.org/ or mail dns-manager@EU.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkrc9xYACgkQ7s9z/XlyUyClEwCdGInlyqKV+3xw4+hmC4/tX/yW
> CEsAn3tvBRHWgccG+QYAYRoEyzaFDNxy
> =i79e
> -----END PGP SIGNATURE-----
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
> 

Re: ssl certificate advice

[Joseph C. Lininger]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Greg,
Generally in your situation a privately created root certificate works
just fine. Use openssl to generate a trusted certificate, then use that
to sign a standard certificate for apache or what ever to use. YOu can
create multiple standard certificates for different things and sign them
with your private root cert.

Making windows trust it is actually pretty easy. If you need help with
that, I'd be happy to walk you through it.
- --
Those of you who think they know everything are very annoying to those
of us who actually do.
Joseph C. Lininger, <jbahm@pcdesk.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBCAAGBQJK3eshAAoJEMh8jNraUiwqz2MIAKcteBaRhaC4ErubBrlTPA02
ukvCXaw0pzVDhxtdmzvt0S5QnAreyt0n3orYxoh85BDwdpfliREjwbpIcfwlzvmh
60ywN/wWriwXv1IMDLK739T5kvGvth8R/dnda5svXgs7DJksxGY7OcKi7FFcTQN4
hzSavSzyVwu9sjqj+pOU6jUEl7O157MTptrZlfTxaI6EU+iXBf57fOXgrOLwJpFZ
dg2sV8k1rQQ5nA+hRlmHX5L2Ko8qhgJt7uHZf8dYAL6Z8gXDWH9SaGc0kDmDLqjv
lJfeebhseNB5WsSCLP9m178XU18Q5xABqdfMz3jISp7EksqwmXbQxkSZ0RpSDCk=
=6yqV
-----END PGP SIGNATURE-----

re: ssl certificate advice

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi again everyone.

I wanted to say thanks to all who responded to my query for ideas for,
or against going with cacert. I've decided in the end to generate my
own root cert, and go with that. In the final analysis, most web
browsers accessing my site over ssl would get the same initial result,
whether I had gone with cacert, or not, as of now anyway. I also think
that Zach had summed it up the best when he pointed out that going
with my own root cert meant I had no strings attached, which would not
have been true for a cert issued by cacert. 

Also, thanks to Joseph L., for pointing out that getting a root cert
to be trusted by windows isn't that hard. When I first saw the steps
on cacert's wiki for manually importing a cert, I really only focused
on the number of steps there were, and not so much on what each step
contained. After reading Joseph's message, I had another more careful
look at that wiki entry, and was able to quit lynx, reboot into
windows, and basically import my root cert by feel/memory. I also must
admit that I was leaning towards using my own root cert, but didn't
want to say that in my initial post, so as to not influence whatever
responses I got. I also feel good about my choice, since this isn't
permanent of course, and when cacert gets their root cert into
most/all major browsers, I can always sign up with them then, or even
go commercial down the road.

Thanks again to those who responded, in spite of some fairly recent comments to the
contrary, this list is a great place to be.

Greg


- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkrf/yIACgkQ7s9z/XlyUyDYMQCgrTygF8ZkR+EPHgoKRADg7LMU
tlIAni3D6psEtVlBp6ows+xaAzLME4oM
=ni36
-----END PGP SIGNATURE-----

Re: ssl certificate advice

[Joseph C. Lininger]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Greg,
No problem. I used to have a private root cert which I generated with
openssl. This was before I purchased one from godaddy to secure my mail
server. If you need any assistance making things work, let me know. It
can be a little tricky if you've never done it, but it's not impossible.
- --
Those of you who think they know everything are very annoying to those
of us who actually do.
Joseph C. Lininger, <jbahm@pcdesk.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBCAAGBQJK4Z+FAAoJEMh8jNraUiwq7d8IALRQSd8a26c0rE7oGrmDaB0B
nya1jG8KOTKwJx+8ZxflCk+WpEbSXIFxlfVS4p34gqxu+/R29CxbGljbljlygrvb
Dcc2i75aIPhlDi9zMF3qVbUnt2ELHPABjYNzEurLn3ggngpUBycLeoVxuZinYc0u
sQh3BtKGl6xPxvjT+L2ZM6YdbeQonkTbvANzvWnXNyfsHNgmMTVx5iXLjLz03xER
iy2sKC/XPDlmKD99oB5V2gWUX4UmyRjB4yN0iHb3qaMdtrIXoJUyO157nyqTGrxP
LdLIaOa2n5WfTN0Bf8FawWKFPUHHSTfDbTU3BVq3/jZXQdZd1GkwsgGoy1+M/IA=
=JajS
-----END PGP SIGNATURE-----