Owen Boyle wrote:
>
> Michael wrote:
> > Is there any reason to pay for Verisigned keys or does setting up our
> > companies own CA work equally well?
>
> Technically, a self-signed certificate will work perfectly well.
> However, the browser will "inform" the user that it doesn't recognise
> the authority that signed this certificate. If you use Verisign etc..
> the browser will already recognise them as a Certificate Authority and
> accept the certificate without a squeak.
This is not necessarily a reason not to use a self-signed certificate,
because the same applies to some less known CA's. For instance, until
not so long ago, the root certificate of GlobalSign (an official CA in
Belgium) was not by default included in MSIE. You then had to include
their root certificate into your browser manually to get rid of the
warnings. And one can do exactly the same with the self signed root
certificate of your self-made CA.
The idea behind using a CA like Verisign however is not that it avoids
some warnings in your browser, but that it's a neutral, trusted 3rd
party, that certifies to your users that you are who you say you are,
and to you that your users are who they say they are (provided you use
client authentication).
If you use a self-signed certificate, you basically say to your users
"just trust me, I am who I say I am". If that is acceptable, then you
don't really need an official CA, and SSL will still provide you
integrity, confidentiality and non-repudiation (and even client
authentication if you provide your clients a certificate signed by your
own CA).
Regards,
Jan Dries
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
