Re: How can I act as a Certificate Authority (CA) with openssl ??
From: Bruno Wolff III (bruno_at_cerberus.csd.uwm.edu)
Date: 28 Sep 2004 19:56:09 GMT
In article <firstname.lastname@example.org>, Dr. David Kirkby wrote:
> But as far as I am aware, there is nothing legally (in the UK at
> least) stopping me signing a digital certificate, verifying the
> identity of someone else, then putting that on a web site. Of course,
> whether a third party chooses to trust me is entirely up to them.
> Being a 'nobody', I don't suppose others would attach too much weight
> to it.
There isn't. From what you said the only reason for you to consider
paying for a certificate is that it might be simpler for you.
The "Mickey Mouse" comment was wrong as well. You might run into a trademark
problem if you were selling certificates using "Mickey Mouse" as the
organization name, but for your own private certs this isn't a problem.
> I can see that the cost of certificates might make some companies
> think about doing their own. If the securtiy office, or HP department
> of a company wishes to sign digital signatures for staff, I can't see
> why they should not do so. I'm sure if Microsoft signed their own
> certificates, in a way verifyable from the homepage of
> www.microsoft.com, that would satisfy most poeple.
The main problem with doing your own and not controlling the browsers
used to access the web site is that people will get scary warnings
from their browser. The browser maker and cert orgs like this since
companies with pay money to the cert companies to avoid scaring away
customers and the cert companies pay the browser companies to include
their certs as trusted by default. The whole thing is a big scam as
it doesn't protect people from going a different site than they meant
that also has a valid cert and it doesn't protect information stored
at the remote site. Most credit card theft from web transactions is
going to come from data that is stored at the remote site, not by
sniffing it in transit.