[Dshield] Digital certificates

Johannes B. Ullrich jullrich at euclidian.com
Tue Oct 26 11:33:03 GMT 2004


> > You could always just do what some government sites do and write your 
> > own certificate.  Many of the dot mils I have been visiting lately seem 
> > to be creating/writing their own with no repercussions.
> 
> 
> When you can reply with your very own nuclear weapon, I suppose you
> don't have to worry about repercussions.

Writing your own certificates (= signing them with your own CA, not just
"self signed") is perfectly acceptable if you have a limited user group.
You just have to find a way to distribute the CA-certificate (which can
easily be downloaded from a web site).

The only thing that makes Verisign at al special is that they managed to
have their certificates added to common browsers as default "trusted"
certificates.

So as long as you can convince people to download (and trust) your own
certificate, you are fine. For example for a company internal website,
you can ask users to pickup the CA-certificate (from a secure internal
location). You will now just use this "company CA" to issue various
certificates of your own to "secure" your company internal websites. For
example development sites, intranets or others. You may use this not
just for web sites. You could use them for S-Mime and other purposes.


-- 
Johannes Ullrich                     jullrich at euclidian.com
contact: http://johannes.homepc.org/contact.htm

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20041026/76f31773/attachment.bin


More information about the list mailing list