Re: self signing certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, 24 Aug 2009, aurfalien@xxxxxxxxx wrote:

> I would go buy a cert.
>
> They aren't much money and you can specify the granularity you want 
> the cert to have, the more granularity, the higher the cost but they 
> are not that much anyways.

The difficulty with purchased certificates is timely revocation, 
since, as you note,

> After all, 75% of breaches occur form within.  You can take that how 
> ever you want but the days of a soft nougatine LAN are over.

An in-house Certificate Authority can revoke, say, a locally issued 
OpenVPN certificate very quickly. If HR calls you aside for a quick 
and quiet meeting to halt all network access for Jane Employee, having 
the ability to revoke her certificate(s) by the time she's ushered 
from the building is nearly essential.

The same thing is true if a user's laptop is stolen. An employee 
called me early one Sunday morning to let me know that someone had 
broken into his house and stolen, among other things, his laptop. He 
had things encrypted, but it was still very reassuring to everyone 
that I was able to revoke his VPN cert within a few minutes.

-- 
Paul Heinlein <> heinlein@xxxxxxxxxx <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux