[thelist] SSL Certificate Choices

[Ken Schaefer]

No, that's not how it works.

If the root CA is already trusted by the end client, then the server presents a cert that is ultimately chained back to the trusted root CA, and the intermediate CA certs are on the server, then /yes/ you can avoid the issue. But if the ultimate issuing root CA is not trusted, there'll be the usual warnings. So, no security hole per se.

Cheers
Ken

-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Robert Gormley
Sent: Sunday, 27 January 2008 9:09 AM
To: joshua at waetech.com; thelist at lists.evolt.org
Subject: Re: [thelist] SSL Certificate Choices

That seems odd. Are you saying that if the entire chain is on the
server, up to and including a root certificate, the browser will not
prompt for the use of an untrusted root cert? That seems both odd, and
an utterly huge security hole...

Robert

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Joshua Olson
Sent: Friday, January 25, 2008 4:27 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] SSL Certificate Choices

> -----Original Message-----
> From: kasimir-k
> Sent: Friday, January 25, 2008 5:54 PM
>
> Using a free certificate the visitors must usually excplictly
> accept the CA as trusted. And if it is a site targeted to
> general public, the browser popping up a question "do you
> really trust this certificate authority?" does not appear
> too trustworthy...

I do not concur with the premise of this argument.  Free or inexpensive
certificates do not inherently present such a message--all that is
required
to avoid the message is to put the intermediate certificates (the whole
chain) on the server.

Check out alphaSSL.

Joshua