[unisog] IPSCA free SSL certificates

Reg Quinton reggers at ist.uwaterloo.ca
Fri Aug 24 19:06:36 GMT 2007


> Our take on this is that for high profile or critical services we still
> use Thawte (particularly ones where there maybe liability issues).

We too. The other thing I was concerned about is the turn around time with
these other fellows. We have quick turn around with Thawte, typically in an
hour. Waiting for anything longer is a hidden cost.

I've read elsewhere that IPSCA's 98% recognition isn't good enough --- the
argument is what does it cost your to lose a customer? But I am impressed
with the numbers people are tossing around and questioning why we spend so
much with Thawte ...

> Where the primary purpose of SSL is just to protect login creds to
> local
> services then we use anything that we can get our hands on including
> self signed and free certs.

That encourages bad behaviour by your users. If users will accept any old
certificate presented to them then they are vulnerable to man in the middle
and spoofing attacks. I would not recommend that practice. There's a
discussion of the issue here:

http://ist.uwaterloo.ca/security/vulnerable/20051207.shtml

We use self signed certs for test/dev systems. All production services use
Thawte.  To date I think it's money well spent.

I don't want users to accept any old cert that comes their way.





More information about the unisog mailing list