[thelist] CA Information Request

Keith cache at dowebscentral.com
Wed Mar 6 17:32:01 CST 2002


Just from my experience......

> 1) What certifying authorities are commonly recognized by all
commonly used browsers by default?

Up to Netscape 4.51 and IE5.1 browsers only recognize Verisign
chained certs. While Verisign still had a patent monolpoly on RSA
they forced both browser manufactures to question all other certs.

Because of Apartheid, South Africa had been barred from signing
the international patent treaties so Thawte was "legally" free to
create a new chain out of South Africa. Those older browsers
therefore prompted people to accept the Thawte CA chain.

That all changed with Verisign's patent expiring in 2001.

2) Do I need a certificate from them, or if
> I have a certificate from someone with a certificate from the root,
> will that be sufficient? 3) How far removed could a certificate be
and is there any reason to be "higher up?"

If your certificate is on the Verisign or Thawte root chain then it
does not matter who "peddles" it, the root CA has permissioned
them to do so by one means or another. The only things a browser
needs to know are, does the algorithm work, was it self generated
or issued by a "Trusted Authority".

4) If a certificate is valid,
> will the browser ever prompt the user for approval?

There are two types of "valid" certs, a self-signed cert created by
the server does exactly the same encryption as a cert issued from a
Trusted Certificate Authority. But the self-signed cert is not issued
by a Trusted Certificate Authority. so it will cause a prompt forcing
the user to accept it.

So, what does a "Trusted Authority" bring to the party? There are 2
different levels of trust, 1) That the cert is indeed being offered by
the legal owner of the site, and 2) that the legal owner of the site is
a "trustworthy" party.

There has long been a legal question over whether certificate
vendors have any legal right or liability in vouching for a certificate
owner's trustworthiness (level 2) since companies like Verisign are
certainly not "experts" in that field. That's what credit card
companies and BBB do and many feel that CAs are not qualified or
"trustworthy" for that kind of thing.

As far as I know, there is only one CA vendor that offers a level 1
and a level 2 type cert, GeoTrust.  GeoTrust offers a Thawte
chained cert that they bought from Equifax. Their level 1 cert costs
$119 and can be installed two minutes after you've submitted the
Certificate Request on their site (I actually did one in 1 1/2 minutes).
During that 2 minutes GeoTrust checks with whois to get the
Admininstrative Contact's email. They then send a request to that
address asking where to email the cert to. This guarantees that the
site owner, or it's legal representative, controlled possession of the
cert. That in turn guarantees to the browser that the cert was not
obtained by someone else posing as the site that the cert was
issued for. That cert is called a QuickSSL. Both NN4.51+ and
IE5.1+ browsers recognize it.

GeoTrust's level 2 cert (eBusinessID) does what the other CAs do
to verify trustwortiness, check proof of legally established business
ownership of the site (business license, bank account, etc.)  It's
$199.


5) Does anyone
> know of a cheap CA?

Did I mention $119.

keith





More information about the thelist mailing list