Re: Free signed certs and other security issues.

Mon, 09 May 2005 13:49:30 -0700 

Ian G wrote:

On Monday 09 May 2005 20:30, [EMAIL PROTECTED] wrote:


Hi, Frank, et. al.

COMODO has been offering FREE fully signed certs:
http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.htm
l?currency=USD&region=North%20America&country=US (since 2002:
http://www.instantssl.com/ssl-certificate-news/ssl-171202.html ). This
is worse than Bug 290491.



I don't understand.  Those pages refer to either
certs that are bundled with other non-free services,
or short life time certs that are set up for testing
purposes.

Either way what is the problem with free certs?
Why are the "better" because they are expensive?


I have to agree with Ian. Just the fact that the certs in question are issued for free does not invalidate the CA, nor does it invalidate the proposed policy. The question isn't the cost of the certificate, but the rigor and validity of the process of authentication. As far as I can tell from the website, Comodo is fully authenticating their certs:

BEFORE YOU START: Please note that Free SSL Certificates are fully validated prior to issuance. Please ensure you provide only accurate data. Applications containing invalid details cannot be issued.

Now if it turns out Comodo is taking your data and using it at face value, or is not properly authenticating the owner of the domain with a 'strong enough' authentication method, then we need to bring that up. (I didn't actually click to get a 'free SSL Certificate', so I'm not sure what authentication scheme they are using).



I urge mozilla.org to adopt and enforce the latest revision of Frank's
proposed policy. CAs are in a race to the bottom, and we mustn't help.





If the 'bottom' means 'poor authentication', I agree, we definately should put the breaks on. If the bottom, however, means the price point for certificates, that's for the market to figure out. If you have a business case which says "I'll issue free certificates and make money on this auxillery business" more power to you. In Comodo's case, they are issuing free 'Trial" certificates to convince you their service is easy to use.

The reason 'free' often raises red flags is that to get to 'free', often a CA will create short-cuts (poor or non-existant processes, weak authentication when issuing certs, poor controls on the CA's keys, etc). As long as a CA can maintain sharp processes and controls, and strong authentication, they should be able to pass muster. How much they charge for a certificate is irrelevent.

bob



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature
  • ... Ian G
    • ... Bob Relyea
    • ... Ian G
    • ... Jean-Marc Desperrier
    • ... Duane
    • ... Duane
    • ... Bill Gates ... my hero - NOT! Roast him! [Post to the group. Without 'nanae' in the Subject, your email will be filed in /dev/null.]

Reply via email to