> -----Original Message----- > From: Ryan Whitney [mailto:[EMAIL PROTECTED] > Sent: Monday, 6 October 2008 19:43 > To: Mifos functional discussions > Subject: Re: [Mifos-functional] To SSL Cert or not to SSL Cert > > > On 10/5/08 8:47 PM, "Graeme Ruthven" <[EMAIL PROTECTED]> wrote: > > > > > > Back to the original question, if an MFI decides to certify > > > its own certificate, the question then becomes, how can all > > > the computers needed to access that particular MIFO > > > deployment get a copy of the MFI's own root certificate, > > > reliably, knowing that it is the real one? > > > > By checking the fingerprint when it is installed. > > > > A man in the middle attack would require the attacker to > > generate a certificate with your CN and OU information, and > > with the same fingerprint as yours. A difficult proposition... > > That may be, but in my experience in organizations, that even > though you can educate everyone to do this, tell everyone to > do this, etc, you can't really expect everyone to do this. > Much like setting password policies.
Ain't that the truth? :-( > I still believe that for the costs of CACert.org's (free) or > even the ones Andrew provided which were only a few hundred > dollars would be preferable to self-certifying for larger > organizations (maybe if you have one or two branches, it's > easier to manage, but when you get up to 50 computers...). Currently you still need to install the root certificate for CACert. However the branch computers _should_ be under the MFI's management, so installing the root certificate could be done during the training sessions or system build. Regards Graeme ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Mifos-functional mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/mifos-functional
