> On 10 August 2017, at 04:37, Alef Veld <alefv...@outlook.com> wrote:
> I completely agree (having said that I'm pretty new to all this so I might be 
> full of it). 
> You should run your own CA if you have an active financial interest in your 
> company (say your the owner). No added benefit to have your certificate 
> certified by a third party, why would they care about that one client). 
> Ofcourse people would say "but ofcourse you would verify your own 
> certificate" but in that case they probably don't understand how it all works.
> Ofcourse once your own company grows large you run the same risk of entropy 
> (incorrect documentation or records, no trained staff, no up to date 
> procedures etc.) large companies have to deal with. Maybe if you had one 
> person working full time on it, or an automated process handling things it 
> would be more secure and reliable.
> Was diginotar the Dutch company, I think I remember that one.
> Sent from my iPhone
>> On 10 Aug 2017, at 08:18, Stephan von Krawczynski <sk...@ithnet.com> wrote:
>> On Wed, 9 Aug 2017 08:39:30 -0700
>> Gregory Sloop <gr...@sloop.net> wrote:
>>> AV> So i’m using dovecot, and i created a self signed certificate
>>> AV> with mkcert.sh based on dovecot-openssl.cnf. The name in there matches
>>> AV> my mail server.  
>>> AV> The first time it connects in mac mail however, it says the
>>> AV> certificate is invalid and another server might pretend to be me etc.  
>>> AV> I then have the option of trusting it.  
>>> AV> Is this normal behaviour? Will it always be invalid if it’s not signed
>>> AV> by a third party?  
>>> Yes.
>>> The point of a trusted CA signing your cert is that they have steps to
>>> "verify" who you are and that you're "authorized" to issue certs for the
>>> listed FQDNs. Without that, ANYONE could create a cert, and sign it and then
>>> present it to people connecting to your mail server [perhaps using a MITM
>>> style attack.] The connecting party would have no way to tell if your cert
>>> vs the attackers cert was actually valid.
>>> It would be like showing up at the bank and having this exchange: 
>>> You: "Hey, I'm Jim Bob - can I take money out of his account?"
>>> Bank: "Do you have some ID?"
>>> You: "Yeah! See, I have this plastic card with my picture and name, that I
>>> ginned up in the basement."
>>> Now does the bank say: "Yeah, that looks fine." or do they say "You know we
>>> really need ID [a certificate] that's authenticated and issued [signed] by
>>> the state [third-party/trusted CA.]."
>>> I think it's obvious that accepting your basement produced ID would be a
>>> problem. [Even if we also admit that while the state issued ID (or trusted
>>> CA signed certs) has some additional value, it isn't without potential
>>> flaws, etc.]
>>> The alternative would be to add your CA cert [the one you signed the server
>>> cert with] to all the connecting clients as a trusted CA. This way your self
>>> signed cert would now be "trusted."
>>> [The details are left as an exercise to the reader. Google is your friend.] 
>>> -Greg
>> This was exactly the global thinking - until the day DigiNotar fell.
>> Since that day everybody should be aware that the true problem of a
>> certificate is not its issuer, but the "trusted" third party CA.
>> This could have been known way before of course by simply thinking about the
>> basics. Do you really think your certificate gets more trustworthy because
>> some guys from South Africa (just an example) say it is correct, running a
>> _business_? Honestly, that is just naive.
>> It would be far better to use a self-signed certificate that can be checked
>> through some instance/host set inside your domain. Because only then the only
>> one being responsible and trustworthy is yourself. And that is the way it
>> should be.
>> Everything else involving third party business is just bogus.
>> -- 
>> Regards,
>> Stephan

If you use a self-signed certificate, your users either have to accept the 
certificate when requested, or install your root certificate.  Installing the 
root certificate is not easy to explain to non-tech users even with 
step-by-step instructions with screen shots attached.  I have gone this 
approach ever since the RSA patents expired and it can be a pain at times.  
Users just don't understand the obnoxious warning (panic) messages the browsers 
put out that are intended to keep them from accepting self-signed certificates. 
 The browser developers don't understand the certificate trust issues either.  
Several Microsoft versions did not provide a way to accept the certificates.  
Those users were forced to install your root certificate.  However, as stated 
before, if you are only certifying your own certificates, then that is the most 
appropriate approach.

-- Doug

Reply via email to