SSL: How to Choose a Certificate Authority 72
lessthan0 writes "Secure Sockets Layer (SSL) is the backbone of e-commerce on the web. It is the protocol used to encrypt communications between a web browser and web server, though it can also be used for other applications. To use SSL on your own web server, you often need to deal with an external company called a certificate authority (CA). Three major considerations come into play when choosing a CA: trust, audience, and cost."
Re:Wrong (Score:5, Interesting)
I was ready to write the exact same thing you were.
Of course things have gotten a bit better over the years.
When I first started on the Internet, the only way to get a secure certificate was to buy a Netscape server ($5,000) and then to buy a Verisign certificate. I don't even remember how much the certificate was at the time, just that it was expensive.
I remember feeling that crypto people, with their curious obsessions about identity and the like, were creating a world way too complex for anyone but other crypto people to manage, and events seem to have borne me out.
D
(PS Anyone else feel the new format seems to have sapped the vitality out of Slashdot? Maybe because it now looks like every other site on the web. It does load faster but I don't know if this change was really that brainy a scheme.)
Or just sign your own (Score:5, Interesting)
The US military does it. Going to https://www.mol.usmc.mil/ [usmc.mil] in either IE or Firefox asks if you want to trust the cert.
I'm not sure about IIS, but openssl certainly has a mechanism for signing your own ssl certs, as do load balancers with ssl acceleration support. Commercial, "trusted" ssl certs seem to be useful primarily for preventing security warning popups.
From my own experience with Equifax (currently GeoTrust & soon to be Verisign thanks to acquisitions and consolidation) I know that it took them years to get their root certificate added into the Java keystore. Any application using a not-very-current version of the jdk will still generate errors when faced with GeoTrust certs. Buying certs from a smaller CA with less penetration into end-user keystores can be little or no better than signing certs yourself.
From my viewpoint, the only two viable options are paying top dollar for the certs that will work for most people or signing your own. Which option to go with is largely a budget issue.
-DaveU
We like to choose our University as the authority (Score:3, Interesting)
If you don't trust us, why are you sharing data with us?
That's the question we ask.
Now, if you're going commercial, I think you need to use one of the standard SSL authorities, even though it is more expensive.
Re:Or just sign your own (Score:3, Interesting)
Re:Wrong (Score:2, Interesting)
However, some people drive BMW's, Lexii, or Mercedes for reasons I don't quite fathom, but their major consideration is probably NOT cost, cost and cost. I imagine these people want to be associated with reputable enterprises, and are willing to pay a somewhat meager fee just in case someone happens to follow them out of the business rooms to see what care they actually drive. I don't think the CEO of my company drives a Honda, and I'm pretty sure that I won't convince him to buy one with a solely "cost, cost, and cost" argument, anymore than I'll convince him to buy our certs from Bob's Discount Browser Trusted Certs.