For Ryan's specific question:
>The question I was posing was whether we should pay for a third party to
>certify our security cert or just certify our own
In the context of MIFOS deployment, where all usages are restricted within
an organization, I think it is fine for a MFI to certify its own
certificate.
Going down self-certifying, however, requires the MFI to somehow distribute
a reliable root certificate.
To illustrate the specific question, I'd use a third-party example: a user
goes on to https://yahoo.com, with a certificate certified by RSA.
When users connect to https://yahoo.com, what they they really trust is
that:
1. the trust RSA: and RSA put their stamp in saying that this is the reall
yahoo.com
2. they trust the RSA stamp (root certificate) is an authentic one. For
practical purposes, that trust comes from that all major browsers put the
authentic RSA stamp (the root certificate) as part of the distribution.
To make the point clearer, hypothetically if a user gets a malicious copy of
firefox browser with a fake RSA root certificate, it's forseeable that the
user be suspectible to phishing attempt, logging in to a fake
https://yahoo.com.
Back to the original question, if an MFI decides to certify its own
certificate, the question then becomes, how can all the computers needed to
access that particular MIFO deployment get a copy of the MFI's own root
certificate, reliably, knowing that it is the real one?
- sam
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Mifos-functional mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mifos-functional
