On Thu, 21 Feb 2002 10:27:24 -0800 Jeff Lasman <[EMAIL PROTECTED]> wrote:
> > Usually you do not need a wildcard certificate. This is not > > advertized, but browsers (most of them?) do a "suffix match" > > on the CNAME. That is, purchase a certificate for "xyz.com", > > and use it on the servers abc.xyz.com, def.xyz.com, > > ghi.xyz.com - browsers will think that the name matches OK. > Please let us know which browsers do this; it's not enough to know that Last time I checked a year or more ago, it was Netscape 4.7something and I think IE that was recent at that moment. > "browsers" will break the rules when it comes to domain certification. > > In fact it's dangerous behavior; I'd not want to use a browser that did > it. There are no "rules" on this matter; and common sense says that if your company gets a second level domain and CA certifies that it's yours, any subdomains of this second level domain should automatically be considered yours too. So this is not dangerous but logical behavior. It is only dangerous for the CA's revenue because they will sell you less distinct certificates. > > I'd like to add that this whole CA business makes > > me uneasy. Essentially, it is about making money out of > > thin air (noticable income for a thing that requires near > > zero work). As such, it inevitably attracts the lovers > > of easy money rather than trustworthy businesses. Which > > defeats the whole idea of a CA as a 100% trusted entity. > > When Verisign first went into the business they earned their money; they > went through a lot of hoops to make sure the company was who it says it > was. > > Now Thawte does less and charges less. GeoTrust does still less and > charges still less. > > That seems to be a fair tradeoff. If you want to have a cert from a > U.S. company that knows who you are beyond a shadow of a doubt before > issuing the cert, buy from Verisign, for somewhere around us$350 or so. > If you want to buy from a South African company that does less in the > way of due diligence and charges less, buy from Thawte for us$125. If > you want to buy a GeoTrust cert from a company that verifies you can be > reached at your domain and that you have the rights to the domain as > enumerated in your registrar's whois database, buy from me for us$99 > <smile>. Now tell me does it really cost $99 to run whois lookup and then run "openssl ca <cert.req | mailx [EMAIL PROTECTED]"? The business model is in fact this: make a deal with AOL and Microsoft so they include your CA in the browser package and start charging money from the web site owners. Nothing to do with "trust". OK, I've got too far off-topic, sorry for that... Eugene _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
