On Tue, 18 Nov 2025 08:15:48 -0500, Rick Troth <[email protected]> wrote:
<snip> >But I have to point out that retaining your own data (keeping your >cookies in-house) is wise. <snip> Let me make one important point about keeping your data at home, relative to commercial certificate authorities. The certificate "thing" has two parts: the certificate itself, and the private key that corresponds to the certificate. The certificate itself is "nothing." It is sent out, unencrypted, at the start of every TLS session. In my certificate class I have a slide with the certificate for WellsFargo.com on it. (Actually half of the certificate; it doesn't all fit on one slide.) Did I steal it? Is my showing it a risk to Wells Fargo? No, they send it out unencrypted at the start of every session anyway. The private key is "everything." And here's the point: when you get a certificate signed by a commercial CA, you don't send them the private key. They never have the private key. It stays safely at home. All they have is the public part. (This assumes that you send them a CSR, the output of RACDCERT GENREQ. Most CA's will in fact generate the private key if you want, but that's not how RACF encourages you to do things.) So I see very little risk -- I am going to go out on a limb and say no risk -- in sending CSRs off "into the cloud." Certificates go out into the cloud anyway every time you start a session. Charles ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
