Re Certificate authorities

Document Sample
Re Certificate authorities Powered By Docstoc
					Re: Certificate authorities

Re: Certificate authorities

• From: Jeff Wiseman <throwawayacct225@xxxxxxxxxxxxxxxxxxxxxxx> • Date: Wed, 29 Oct 2008 20:21:14 −0500 Chris Ridd wrote:

On 2008−10−29 17:51:08 +0000, Jack Gaskella <gaskella@xxxxxxxxxx> said:

I posted this in and received no response yet. Anyone here know?

This stuff is all described fully by the X.509 standard. For a gross simplification, read on... CAs are organizations that certify the identity of somebody else. Verisign is an example of an organization that runs a CA. (Actually lots of CAs.) An SSL web server is considered an identity of something. You can have "secure" Internet email as well, and then your email address is a secure identity. When a CA certifies something, the thing gets a digital certificate. Digital certificates are unforgeable as far as anyone knows. CAs also have digital certificates. So when you connect to an SSL web site, you need to work out whether you trust the web site or not. If you don't, you don't connect. One way to trust a web site is to tell your web browser a list of SSL certificates that you explicitly do trust. That doesn't scale too well, so what you can do instead is to Re: Certificate authorities 1

Re: Certificate authorities tell your web browser a list of CA certificates. If one of those has issued a particular SSL certificate, you trust the web site. There are far fewer CAs than SSL servers, so this scales much better.

in preferences/advanced/encryption/view certificates. What are certificate

authorities and what

happens if I delete them all? there are several dozen of them. Regards, J

If you delete them, you will have to manually agree to every SSL connection that you make. That would probably be quite annoying. But on the other hand, maybe you have a different idea of which CAs are trustworthy, to the Mozilla organization's. I'd be inclined not to delete them.

What Chris said. The first time you try to access a bank or store's website, you'll probably be asked if you trust them. The best way to show trust is to show trust in the Certifying Authority −− in which case you would then have to go and obtain the appropriate CA certificate, verify that it is indeed from that CA (by comparing digital fingerprints) and then RE−install it where you took the old one out. Mozille org has already gone through that and installed the most common CAs for you. No need to remove them unless you plan on not interacting with anyone or site that has been certified by them. BTW, a Danger in removing those CA certs is if you were to, say, go to a store website but you had stumbled on a phishing link or a non−trustworthy site using another company's name, when the query comes up and you acknowledge that you trust it, you have turned off warnings against their certificate which is now not what you thought it was. If you had left the CA certs installed, anytime that you get an untrusted warning, you would need to pay more attention since most common secured sites are rooted in those CAs. With the CA certs removed, every single trustworthy site out there will cause the browser to complain that it is not trusted. An analogy is your state department of Transportation which is a type of certifying authority. They issue personal IDs in the form of driver's licenses. They have a criteria where you have to prove to them that you are who you say you are before they'll give you a certificate (i.e., a driver's license) that proves you are really Re: Certificate authorities 2

Re: Certificate authorities Joe Shmoe. Businesses that need a reliable source of ID from someone will accept a driver's license based on the knowledge of the DOT's certifying process. The difference is that a Driver's license can be forged and a X.509 certificate can not (although like a driver's license, it can be stolen if not taken care of)

−− Jeff Wiseman to reply, just remove ALLTHESPAM .

Re: Certificate authorities