--On Tuesday, March 13, 2001 10:04:14 AM +0100 "Francisco M. Marzoa
Alonso" <[EMAIL PROTECTED]> wrote:
> On Tuesday 13 March 2001 09:59, Sam Newman wrote:
>> Joe Wrote:
>> > If you are using SSL then why even bother hashing the password? I
>> > think the original poster said he/she could not use SSL (but I may
>> > be mistaken).
>>
>> Well, we want to avoid SSL if possible. Certificates for the servers
>> aren't that cheap, and we could potentially have quite a few
>> servers. As we're a startup company, I don't really want to commit
Quite a few means 10? 25? 200? Thawte certs are about $125 each. The
price of one PC will be you quite a few certs at that price. I
responded in an earlier post to a question about how to do a digest MD5
challenge/response to do a secure signon, but I don't remember whether
it was this same thread or not. But the real issue is what about the
information transferred back and forth. Does it not also need to be
secured? If you are passing proprietary or otherwise confidential
information between the server and the browser, data encryption is an
absolute requirement -- it need not be SSL, but it needs to be
something. If the value of the service you are providing is in the
data itself, than encryption is the only intelligent business choice.
If the value of your services is not in the data itself, but rather the
value is in the fact that this data is gathered into one place and
searchable, etc, then just encrypting the login should be sufficient
(examples of the latter are the on-line database services that
individuals and institutions subscribe to -- what they are buying is
ease of access to mostly publically available data that has been
gathered together in one place and nicely archived -- in that case it's
the access to the archive and not the specific content, that
constitutes the service)
>> ourselves to get SSL, seeing as with SSL is only partly about
>> encryption - its more to do with making sure yiour dealing with
>> trusted parties.
50/50, it's about both. If the communication is important enough that
it needs to be encrypted -- which means kept secret -- well, it's
certainly important that you know whom you are sharing your secret
with. Thus, encryption and trust go hand in hand.
>
> As far as I known, you do NOT need Certificates, you can run SSL
> encryption without them, certificates are just for identify without
If you are doing SSL, you so REQUIRE a server certificate at minimum.
The server's public key, which the client needs, is in the certificate.
That exchange is part of the initialization process for SSL and is the
SSL v3 spec.
> doubt that a server is who it says. By other side, you can create
> your own certificates but they'll be not signed by a hmmmm...
> certification authority.
Becoming your own CA is a questionable practice unless everything is
in-house. Your self-signed certificate has installed in each and every
possible client system -- IE and Navigator come with a host of CA
certs, but yours. A better choice if one feels the need to be a CA for
their business is to get a signing certificate from a CA. They cost a
lot more than a regular certificate (like maybe 50 or 60 times), but
when you sign and issue a cert, the ultimate authority behind that cert
is the CA, and browsers will recognize it. But unless you need to
issue lots and lots of them, buying certs individually is a lot easier.
-- Rob
_ _ _ _ _ _ _ _ _ _
/\_\_\_\_\ /\_\ /\_\_\_\_\_\
/\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT,
/\/_/__\/_/ __ /\/_/ /\/_/ PROFUNDUM VIDITUR
/\/_/_/_/_/ /\_\ /\/_/ /\/_/
/\/_/ \/_/ /\/_/_/\/_/ /\/_/ (Whatever is said in Latin
\/_/ \/_/ \/_/_/_/_/ \/_/ appears profound)
Rob Tanner
McMinnville, Oregon
[EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
