Certificates are based on a public/private key scheme. Anyone can create
a certificate, but unless the public and private keys used for the
certificate match the public key that everyone has distributed to them to
verify the certificate, the certificate will fail to verify. (And since
it's infeasable to derive a private key from a public key, and vice-versa,
the system relies on the ability of the CA [Thawte, Verisign, etc] to keep
its private key private.)
This essentially means that Thawte has a different key pair than Verisign,
and any other CA that is created. The reason this is an issue is only
because Thawte and Verisign are the only two (to my knowledge) CAs that
have their trust embedded in all major SSL-capable browsers. You can add
CAs to your list of 'trusted CAs', but only by jumping through hoops to
say that you understand what you're doing and you do trust the CA to
validate identities and so on.
(I realize this sounds like a high-level explanation -- I just woke up,
and my brain's not operating on the simple-language level yet. If you
don't understand, there are some books on a concept called "Public Key
Infrastructure" that can explain it in more detail, and probably in a
simpler format.)
---
Mat Butler, Winged Wolf <[EMAIL PROTECTED]>
SPASTIC Web Engineer SPASTIC Server Administrator
----Begin FurryCode v1.3----
FCWw5amrsw A- C+ D H+++ M+++++[servercoder] P+ R++ T+++ W Z++ Sm++
RLCT/M*/LW* a cl/u/v++++>+++++ !d e- f>++++ h++ iwf+++ j p->+ sm++
----End FurryCode v1.3----
On Fri, 4 Feb 2000, girlNextDoor wrote:
>
> Good day, everyone!
>
> I am a newbie (an absolute one at that).
>
> On this thread, I have a question. If we could cook up certs like that,
> why are they there anyway?
>
> Is it like the loopback in Unix? Just a mechanism for standardisation - an
> emulation, I mean...
>
> what does the encryption mean if it is not 'trustworthy'? That it is
> easily crackable? (I write from Singapore, not the US, if it helps.)
>
> If these questions are super-dumb, please excuse me and point me to the
> right book that I can RTFM with. And my apologies too on that...
>
> Regards,
> --Sue.
> ----------------------------------------------------
> Linux lovers please visit: http://www.slc2000.com.sg
> ----------------------------------------------------
>
> On Wed, 2 Feb 2000, Graham Leggett wrote:
>
> - ->AJDIN BRANDIC wrote:
> - ->
> - ->> I'm a student at Coventry University (UK) doing Computer Science Hon. Degree
> - ->> and for my final year project I am building a secure web server plus
> - ->> creating a web site which will use this facility.
> - ->>
> - ->> Now do I realy need a certificate (FQDN) to install SSL? This is only a
> - ->> project which will not be used anyware by anyone realy, it is just an
> - ->> exercize. How much a licence would cost anyway?
> - ->
> - ->Yes, you do need a certificate, but you could just as well generate one
> - ->yourself. All the software required to do this is included with mod_ssl
> - ->(and openssl) and instructions are included.
> - ->
> - ->If you want to generate a certificate that is trusted by all the
> - ->browsers out of the box, you will need to buy one. It's up to you to
> - ->decide how important this is to you. A certificate not recognised by the
> - ->browser (such as a homegrown cert you cooked up yourself) will cause the
> - ->browser to throw an "are you sure" dialog box before downloading the
> - ->page.
> - ->
> - ->Regards,
> - ->Graham
> - ->--
> - ->-----------------------------------------
> - ->[EMAIL PROTECTED] "There's a moon
> - -> over Bourbon Street
> - -> tonight...
> - ->______________________________________________________________________
> - ->Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> - ->User Support Mailing List [EMAIL PROTECTED]
> - ->Automated List Manager [EMAIL PROTECTED]
> - ->
>
> *******************************************************************************
> Sujatha Natraj (yr3/sem6)
> SMTP :[EMAIL PROTECTED]
> HTTP :http://www.comp.nus.edu.sg/~sujathan
> :http://www.geektown.net(NEW!)
> Computer Engineering National University of Singapore
> *******************************************************************************
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
