[thelist] CA Information Request

Judah McAuley judah at wiredotter.com
Wed Mar 6 12:14:35 CST 2002 

Feingold Josh S wrote:
> I have a few questions regarding certifying authorities:
>
> 1) What certifying authorities are commonly recognized by all commonly used
> browsers by default?
I know that Verisign and Thawte are.  I'm not sure about others.  Thawte
is now owned by Verisign, but still operates pretty independently.

> 2) Do I need a certificate from them, or if I have a certificate from
> someone with a certificate from the root, will that be sufficient?

If someone had a certificate that allowed them to further chain (issue
subcertificates) then it should theoretically work.  But I haven't seen
it in action before, so I'm not confident.  One of the big things about
certficate chains is that there needs to be a way to revoke
certificates.  The browsers install certificates from Root Authorities
assuming that they won't ever need to revoke the certificate.  The more
certificates get involved in a chain, the more likely the need to revoke
and the harder it would be to usefully revoke a certificate.

I seem to remember a couple of years ago, Microsoft had to revoke the
certificate they used to sign some of their software packages because it
was comprimised.  That caused quite a headache.

> 3) How far removed could a certificate be and is there any reason to be
> "higher up?"
It's easiest to be right under a Root CA.  The exception is within an
enterprise where you can set up your own CA for internal use.  Then you
can install that certificate in all your users browsers and use
certficate-based authentication.  Nice and secure, but requires quite a
bit of control of all the systems involved.  There might be good reasons
to do chained CA's in a large enterprise situation.

> 4) If a certificate is valid, will the browser ever prompt the user for
> approval?
The browser will prompt the user if the information contained in the
certificate doesn't match the information presented to the browser.  IE,
if the certificate secures www.mydomain.com and the browser is requsting
  https://mydomain.com/ then the user will be prompted because of an
information mismatch.  If accepted, the channel will still be encrypted,
but the user will be warned.

> 5) Does anyone know of a cheap CA?

I really like Thawte.  http://www.thawte.com/  $125 SSL certificate.
$100 if you sign up as a reseller affiliate.  I've never liked Verisign.
  Still don't.  Now that they own Network Solutions, I like them even less.

Hope this helps,
Judah

More information about the thelist mailing list