Personally, I think signing up at cacert.org is worth the trouble. You get that out of the way and from then on generating and keeping track of your certificates is a breeze. If you need to reinstall a cert, it's right there on their web site. ----- Original Message ----- From: "Gregory Nowak" <greg@xxxxxxxxxxxxxxxxxx> To: <speakup at braille.uwo.ca> Sent: Monday, October 19, 2009 6:32 PM Subject: ssl certificate advice > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all. > > I thought I'd throw this out there, to see what kind of ideas I get > back, and if there are maybe enough of the same type of responses to > qualify as a majority consensus. > > I'm setting up a webmail account for my mother on my server, and she's > transitioning from using webmail at a major ISP for the last 6 years > or so. She checks her mail on her windows laptop, which spends all of > its time so far sitting on her desk at home. She hasn't checked her > webmail on a pc other than her laptop for the last 6 years as far as I > know, but that can of course happen at any time. > > The webmail sessions have to be encrypted, she refuses to login to any > account, if it doesn't have the lock icon, or if that lock icon > doesn't look like it's supposed to. I know she'd also complain if > internet explorer told her that there is a problem with a site's > certificate every time she clicked a link to go to another page. So, > to summarize, it has to go over https, even if it will just be over > our wired lan, and ssl has to behave as it would for most other > sites. Also, getting a commercial ssl certificate isn't an option, not > at this point anyway. > > I am considering signing up with cacert.org, and getting a standard > automatically signed certificate through their system, and importing > their root cert on my mom's machine. However, cacert's emphasis is > on authentication, (and rightly so). They even state on their site > that their goal is to create a web of trust among all their users. On > the other hand, I'm just interested in the encryption benefits of ssl > in this case, and not in authentication. > > So, what I'm trying to decide is if it's worth it for me to sign up > with cacert.org, thus getting a certificate signed by them, but in > turn also being bound by responsibilities in their rather long, and > many agreements, or if it would be a better idea, considering the > circumstances, and my goal of encryption vs. authentication, to simply > import my own root cert on my mother's machine. From what I've seen, > importing a root cert into windows for a user isn't a walk in the > park, whereas cacert has an activex control that will import their > root cert. This however isn't a major deciding factor for me. The way > I see it, given that my mom checks her mail on her laptop, I'm better > off importing my own root cert on her machine. She would get > complaints from internet explorer, if she ever checked her mail on > another machine, but at this point in time, it would be the same with > cacert's root certificate also. As for other users who currently have > accounts on my system, getting a cacert-signed certificate would > benefit them in the long run, but at this point, there are only a > couple of people with accounts here, and none of them use webmail from > what I've seen based on my apache logs. > > So, what I'm trying to settle on is if it's worth it for me to sign up > with cacert, the way things stand now with their root cert, > (especially given that I'm not interested in authentication, and > wouldn't be interested in meeting up with someone else to verify me, > or for me to verify them, if that's possible), or if I should just > import my root cert on my mom's machine. Any thoughts which would > contribute in helping me to decide one way or the other, especially > pointing out anything I over looked, would be appreciated, and thanks > in advance. > > Greg > > > - -- > web site: http://www.romuald.net.eu.org > gpg public key: http://www.romuald.net.eu.org/pubkey.asc > skype: gregn1 > (authorization required, add me to your contacts list first) > > - -- > Free domains: http://www.eu.org/ or mail dns-manager at EU.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkrc9xYACgkQ7s9z/XlyUyClEwCdGInlyqKV+3xw4+hmC4/tX/yW > CEsAn3tvBRHWgccG+QYAYRoEyzaFDNxy > =i79e > -----END PGP SIGNATURE----- > _______________________________________________ > Speakup mailing list > Speakup at braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup > >
