Arshad Noor wrote, On 2008-06-23 15:58: > Nelson, > > I think you may want to qualify your message in this paragraph, so as > to not mislead people who don't understand PKI very well.
Arshad: I want people who don't understand PKI very well to get one message, loud and clear: Don't try to make and use your own server certs. There are some very limited, very special circumstances in which self signed server certs make sense and aren't time bombs. Those circumstances may constitute 0.1% of the cases where people contemplate using them. But in the other 99.9+% of the cases, self signed server certs are a mistake, pure and simple. I have been developing and supporting SSL in browsers for 12 years now, and during that time I have heard hundreds of stories from people who got themselves into real binds by either trying to use self-signed server certs or trying to run their own CA (but not knowing what they're really doing). I've witnessed individuals, corporations, universities, and banks stumble real hard over these mistakes. (I can write about the problems at length, but won't unless asked.) Given the detailed specifics of a situation, it is possible to determine if self-signed server certs (or certs from a home grown CA) would work in that situation, but for the general case, the my best advice is: don't. > If they do these two things and follow their self-directed policies and > procedures with reasonable diligence, then I would argue that there is > no difference between self-signed or public-CA issued certs. Self-signed certs, whether EEs or CAs, are great until they have to be replaced for any reason. They they're typically a huge nightmare, a company-wide flag-day event for which no one is trained or prepared. I've heard of companies that almost went bust over this. There are certainly people who really understand PKI, and really know what they're doing. They can setup a real PKI and run a real CA. They can devise a solution that meets their needs and fits their situation, even if it involves their own self signed CA certs. They know enough to avoid a setup that will someday cause that huge nightmare, and they know that they can ignore my warnings. :) The problem is that people who really aren't qualified often think they are qualified, and they choose to ignore warnings that they should not. Obtaining professional quality CA software may help avoid various problems with certificate formats, and is likely to avoid problems with serial number reuse, but even with such software, people who don't really understand PKI can make colossal mistakes. So, my general advice to people contemplating issuing their own certs is: unless you really know how to run a good CA, don't play CA and don't make your own certs. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
