Thanks! Agreed. Well, agreed pretty much. Is it the "powers of the Internet" that have blessed these 168 (wow! I didn't realize that many!) CAs or the various browser and OS publishers? There is no ICANN or similar list of trusted CAs, right -- just whatever your browser, OS or ESM ships?
Any customer is free (correct me if I am wrong) to delete one or more of these "trusted" root authorities, right? Admittedly the process may be obscure and difficult to manage in an era of BYOD. I kind of got stomped on a couple of weeks ago when I made the assertion you make in your last paragraph, but I still agree. There is nothing magic about Verisign, as much as their advertising would like to make you think there is. If your sole need is internal -- if you are not, for example, talking about "public" browsers connecting to an external Web site -- then there is no reason not to go with an in-house CA. As you say, you can even make the argument that it is MORE secure, or at least, that the security is 100% in your hands. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Bigendian Smalls Sent: Wednesday, June 22, 2016 8:46 AM To: [email protected] Subject: Re: z/OS OpenSSL, SelfSigned Certs, etc Well said Charles! Slightly OT - It’s also worth noting that while the powers of the internet have seen fit to bless the likes of Verisign and GoDaddy as “trusted” they’ve also blessed quite a few others with more dubious roots. The latest revision of Firefox, for example, has 168 unique trusted root CAs (many which have roots, etc) Exaples such as these (from Mozilla): * Hong Kong Post Office * China Internet Network Information Center * Amazon Any one of which could issue a cert for your site and every browser with some exceptions (HSTS, HPKP, etc) Ultimately it’s up to the individual browsers/OS’s to decide which CA’s they’ll include. But, for internal use (and even some customer use) a properly built private CA (yes that’s self-signed) is as good or better, as you know the origin and can manage the keys properly. Assuming you don’t need the general public to get a happy green bar + Lock on their browser, this is often a great way to go, assuming you manage it properly. And, depending on your needs (e.g. not wanting anyone to be able to spoof you) it might even be better. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
