[olug] Web Site Certificates - OT
Dan Anderson
dan-anderson at cox.net
Thu Jul 31 23:34:11 UTC 2008
On Thu, Jul 31, 2008 at 5:52 PM, Will Langford <unfies at gmail.com> wrote:
>
> I think with GoDaddy it was a fax of my driver's license.
If the driver's license matches the owner of the domain this is not too bad.
> So, if compromised, its just an 'owell, too bad, thanks for giving us your
> money anyway' ?
This is not an everyday type of occurance AND it would be a reputation
ruining experience. I can't recall a CA root key compromise off hand
- I'm not saying it has never happened, but again, not an everyday
sort of deal. Root keys are generally very well protected, and often
off-line (doing general day to day signing with an intermediate key
that can be revoked).
> Annnndddd.... is there any legal standing on using SSL certs for
> identification ?
Identification of what? Do you mean individual non-repudiation?
That's more a digital signature thing, SSL encrypts traffic and allows
you to verify that the remote end is, with a good degree of certainty,
who they say they are (domain in the cert matches the domain it came
from and the signature matches the CA).
> What if we want an SSL cert just to encrypt the transfer, not necessarily
> validate that Will Langford does indeed own a given domain... but rather
> that a given domain does belong to a given IP address and similar ? IE:
> domain validation rather than entity validation ?
Self signed SSL can still encrypt the data - it will just report an
error (this was discussed earlier).
SSL does not - for the most part (unless that is your O or OU - even
then that's not really the purpose) - validate that Will Langford owns
a domain.
SSL does not care about IPs at all - look up DNSSEC for this sort of
thing (signed zones).
SSL only:
1. Encrypts the data being passed
2. Checks the signature of the cert received from the remote end to
make sure it matches the CA signature stored in the browser
3. Compares the fully qualified domain in the cert received to the
one you requested
4. The cert received is valid (not expired)
It can do more then this (client certs, etc), but this is the normal setup.
Dan
More information about the OLUG
mailing list