Rather than give a technical reason, I can give you an intersting example
of a real world situation.
I'm currently implementing an E-Commerce system for Industry Canada, and
some company won the bid to supply us with software (namely OpenMarket,
and yes I accept your condolances ).
An integral part of the process involves the users going off site to the
ecommerce site and back to our site for fullfillment. To ensure goods are
paid for we need to use a web server called the secure link bridge.
Our secure link bridge needs a certificate and it installs with a test
type certificate. Our client services group did not like this because the
browser would ask to accept that certificate and mentioned security
concerns. When we approached the company on how to generate a real
certificate request (seeing as securelink bridge will only accept
certficiates generated from their software) they seemed suprised we wanted
to do this. Why spend the extra money they said as it was just as secure.
The answer is maybe its secure enough, but does it give your superiors
(who in my case have a somewhat limited technical understanding in this
area) and customers that "vote of confidence" that you are providing the
most secure solution possible. If your data really has a need to be
secure, then whats a few hundred bucks?
Jeff
On Mon, 28 Jun 1999, Jason Gilmore wrote:
> I have very recently (today) set up a secure server, and am currently
> using the test certificate to test the setup.
>
> The reason why I am using a secure server is to protect database data
> for a project we are currently working on. The database will be for
> internal use only, and will not be accessible to the outside.
>
> Therefore, my question is:
>
> Is the test certificate good enough for encryption, or is it suggested
> that we purchase a certificate?
>
> If it is not good enough, why? I have read the docs, but must not
> understand something...
>
> Many thanks!
>
> -- jason
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
