Well said Charles! Slightly OT - It’s also worth noting that while the powers of the internet have seen fit to bless the likes of Verisign and GoDaddy as “trusted” they’ve also blessed quite a few others with more dubious roots. The latest revision of Firefox, for example, has 168 unique trusted root CAs (many which have roots, etc) Exaples such as these (from Mozilla):
* Hong Kong Post Office * China Internet Network Information Center * Amazon Any one of which could issue a cert for your site and every browser with some exceptions (HSTS, HPKP, etc) Ultimately it’s up to the individual browsers/OS’s to decide which CA’s they’ll include. But, for internal use (and even some customer use) a properly built private CA (yes that’s self-signed) is as good or better, as you know the origin and can manage the keys properly. Assuming you don’t need the general public to get a happy green bar + Lock on their browser, this is often a great way to go, assuming you manage it properly. And, depending on your needs (e.g. not wanting anyone to be able to spoof you) it might even be better. Chad On Jun 22, 2016, at 10:17 AM, Charles Mills <[email protected]<mailto:[email protected]>> wrote: Right. This is the confusion on what self-signed means. "Properly" (to be a pedant) self-signed means the certificate is at the head (or bottom, if you will) of the chain. It attests to its own validity; it signs itself; it is not signed by some other certificate -- self-signed does NOT mean that it is signed by you yourselves as opposed to some "known and trusted" authority. There is no way you can become a "known and trusted authority" unless you want to go to the trouble of competing with Verisign and GoDaddy and become a known and trusted authority. OpenSSL (and other tools presumably) can create a self-signed certificate. They can create a chain of certificates signed by your in-house authority. But no tool can make you into Verisign or GoDaddy. No tool can make you known and trusted. Verisign and GoDaddy are known and trusted simply because they are known and trusted. There is nothing in the TLS protocol that makes them any different from your in-house authority, or for that matter, a private little root certificate that you create on your desktop. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Gord Tomlin Sent: Wednesday, June 22, 2016 7:17 AM To: [email protected]<mailto:[email protected]> Subject: Re: z/OS OpenSSL, SelfSigned Certs, etc On 2016-06-22 10:01, Donald J. wrote (snipped): With the recent talk about negative aspects of using self signed certs, I attempted to see if that OpenSSL could be used to generate a root certificate and a user cert chained to that root cert. This appears to me to just build a "son of a self-signed certificate", since your root certificate will not be a known and trusted certificate. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected]<mailto:[email protected]> with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
