[150250] in North American Network Operators' Group
Re: X.509 Certs For Personal Use - Follow Up
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Mon Feb 20 09:58:45 2012
Date: Mon, 20 Feb 2012 06:57:16 -0800
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <20120218010729.GA10033@ussenterprise.ufp.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I received a number of interesting replies, most off-list, so I thought
I would summarize and perhaps restart the discussion.
Many folks pushed the "run your own CA" idea. While I get that works,
and even secures the communication, if you run a web site accessed by
random folks it will confuse some percentage of them.
StartCom (www.startssl.com) seems to be the only 100% free option, with
a few limitations. You must own your own domain (for instance they
validate your e-mail based on the ones listed in whois), and the certs
have the Organization set to "Persona not validated". This doesn't
prevent the certs from working fine and "locking the padlock", but if
someone looks at it may raise an eyebrow. Still, it's free, you can
generate a personal cert for e-mail and certs for web, smtps, jabber,
etc. Multiple certs are no problem. For 100% free, it's the only
option anyone has mentioned.
=46rom there, you can move up to "cheap" with a couple of options. With
StartCom a $60 upcharge will verify a _person_. From that you can
generate unlimited certs for the domains you own, a pricing model I
think is really nice. They are good for 2 years, although the
verification is only good for 1 year. So it's $60 every 2 years if
you're not doing any new cert issues in that time, or $60 every year if
you are; but the lack of a per-cert charge makes this a pretty good deal
if you run a bunch of domains.
In the per-cert realm, both CheapSSL.COM ($8.95/cert/year) and RapidSSL
($49/cert/3year) offer relatively cheap per-cert pricing for one and
three year certs, respectively. Depending on needs these may be cheaper
or more expensive than StartCom.
I am personally trying out the StartCom free for S/MIME, HTTPS,
SMTPS, and IMAPS right now, and they are working quite nicely thus
far. If the testing goes well with all clients I may upgrade to
their verified product.
One last interesting idea that's not quite ready for prime time.
There's an IETF working group called DANE which has code in Chrome:
https://datatracker.ietf.org/wg/dane/
The idea is pretty simple, DNSSEC sign your zones, and then publish your
own key material in DNS. By doing this there is no need for a CA at all,
which eliminates not only cost but the trust and security issues with
the CA's. Of course it moves the trust and security to DNS, but at
least two folks argued that DNS (management) has proved more secure than
CA's, and at least here were fewer players to audit and trust.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--PNTmBPCT7hxwcZjr
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBT0JfTLN3O8aJIdTMAQL2uQ/9EQbL+AyteFc5AjwYjVY+7O5ok4vMR0FB
v+JJxcr9yjH7BFwJUfnZ7tjNvxMLqLmbq6HzD3xNcgKVk4LDFxzoozbs3NgQEeGd
+ef3YReGcI9RqD2FhnrV2VoZ7BouMey5+3OW9IcnqOBXWlLbUnqLg8y7g2eJdVHd
4V0jbtcv3dlJPCvtCb3qGIZ0GqHmC3fIvUgUgDTfoVP0v2XYyMj51KfpvhOZKZdS
u5No1XC0o7AUXcNXpxWdpgTPV/EtqMJqjtrK3urfq+x18h1/ykkPBYYL+THvvkRJ
HgNTjK8gTjumHQ4l9GcndXgbNnD7ajKLHeAKi1e0C7rNFx2nIej8qG/yUGsoTa/K
tesY9axhrsIKkD33fXLuh3yiQRZWEMy9I5eFydG3fY51dnkBs7bdM5Gt4PPUs5KG
4RV21sIXxwL+x4mhr9Opv1R5BEQsxa4r7L4TifmZZ1fL3z0TcEaewrvo/WFmEzPh
sEWW8XZyek/e4iu7irZSDrH/GxZq64woGLvQEjEWTqEs90GjAgudR8LSvH9ogXb4
kSuN9sJJZgcOJ43F4jNYwAb8QhVx3yD6oSO6X7q2eHQ7X47SxL3Zukmq8scSw2MV
67/8NckxTKYh9SrCUNzMWCyce/bNcdPvI+TaKN/vrEgOwp+Yn+fb6k98N5DcuD1p
uUavJ9+tbHY=
=Us75
-----END PGP SIGNATURE-----
--PNTmBPCT7hxwcZjr--
