> -----Original Message----- > From: Sam Lee [mailto:[EMAIL PROTECTED] > Sent: Monday, 6 October 2008 03:10 > To: Mifos functional discussions > Subject: Re: [Mifos-functional] To SSL Cert or not to SSL Cert > > For Ryan's specific question: > > >The question I was posing was whether we should pay for a > >certify our security cert or just certify our own > > In the context of MIFOS deployment, where all usages are > restricted within an organization, I think it is fine for a > MFI to certify its own certificate.
Yes, but see my earlier comments about CACert.org... > Going down self-certifying, however, requires the MFI to > somehow distribute a reliable root certificate. ... > Back to the original question, if an MFI decides to certify > its own certificate, the question then becomes, how can all > the computers needed to access that particular MIFO > deployment get a copy of the MFI's own root certificate, > reliably, knowing that it is the real one? By checking the fingerprint when it is installed. A man in the middle attack would require the attacker to generate a certificate with your CN and OU information, and with the same fingerprint as yours. A difficult proposition... Regards Graeme ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Mifos-functional mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/mifos-functional
