[159202] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Peter Kristolaitis)
Sat Dec 29 21:41:42 2012
Date: Sat, 29 Dec 2012 21:41:35 -0500
From: Peter Kristolaitis <alter3d@alter3d.ca>
To: Mark - Syminet <mark@syminet.com>
In-Reply-To: <13C7AEC5-5A6F-448D-AE62-87DE2244BEEA@syminet.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 12/29/2012 7:41 PM, Mark - Syminet wrote:
> On Dec 14, 2012, at 7:52 AM, Peter Kristolaitis <alter3d@alter3d.ca> wrote:
>
>> On 12/14/2012 10:47 AM, Randy wrote:
>>> I don't have hundreds of dollars to get my ssl certificates signed
>> You can get single-host certificates issued for free from StartSSL, or for very cheaply (under $10) from low-cost providers like CheapSSL.com. I've never had a problem having my StartSSL certs verified by anyone.
>>
>
> So I guess the question really, is this:
>
> Is it bad, therefore - to *force* every holder of a self-signed certificate - to transmit in the clear?
>
There are plenty of good reasons for self-signed certs -- people stuck
running a Microsoft environment might find it might difficult without
it, since it's a fundamental feature of Active Directory. ;) Various
F/OSS projects, like OpenVPN, generally recommend self-signed certs as a
standard deployment scenario, because it actually provides an extra
layer of security -- as the CA, you determine who gets a cert and who
doesn't. The difficulty you'll run into is defining "self-signed".
If you generate your own CA and put the certs in your /etc/ssl
directory, it's still "self-signed" (as in you're the one signing the
end-use certs), the only difference is that your browser, etc, won't pop
up a warning because it's now "trusted".
It's also important to not conflate "encryption" with "chain of trust
validation". There are good reasons to encrypt without really caring
who you're talking to. There are also good reasons to not necessarily
trust an arbitrary list of CAs as provided by your SSL stack vendor and
provide your own list, as mentioned above.
Two entirely separate issues, IMHO.
- Pete
