Re: Self-signed key verses Verisign or Thawte

Subject: Re: Self-signed key verses Verisign or Thawte
From: Matthew Schumacher (schu@schu.net)
Date: Thu Jul 18 2002 - 12:43:29 AKDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Grant Stockly: "Sendmail 8.8.8->8.11.4"
• Previous message: Jon Reynolds: "RE: no mouse in fBSD"
• In reply to: Mike Barsalou: "Self-signed key verses Verisign or Thawte"
• Reply: Matthew Schumacher: "Re: Self-signed key verses Verisign or Thawte"
• Reply: Matthew Schumacher: "Re: Self-signed key verses Verisign or Thawte"

Mike,

Certificate based encryption has two parts to it. Public and private
keys. The reason for this is so that the remote party has what they
need to encrypt data that only you can decrypt. So, if I have your
public key I can use it to encrypt data, but only the corresponding
private key is able to decrypt the data. It is not mathematically
possible to derive the private key from the public key so there isn't
any issues with giving your public key to the whole world.

That said, now we have a new problem. How do you know that the public
key I gave you is actually from me? Well likely because I told you I
was going to send it before you got it. This is where a certificate
authority comes in. It deals with trust for public keys. If I get a
public key from you that is signed by verisign and I trust that verisign
did their homework then I can also trust your key.

It's the same thing with your divers license. If I see that it says
Mike Barsalou on it how do I know that that is your real name? Well I
trust that the DMV found out what your real name is, but wait, how do
they know that that is your real name? Well they want to see your birth
certificate. Well how do we know that your birth certificate is your
real name? Well, your parents filled out some paper work with some
witnesses when you where born. See, it all comes down to trust.

So to answer your question about what is the difference between a Thawte
or Verisign cert and a self signed cert you will need to think about how
much trust is required. Do your customers trust you without anything to
back your claims to being you, or do they need to see your cert signed
by a 3rd party that they trust?

Keep in mind that all newer browsers trust Verisign and Thawte by
default so certificates signed by them will work without issue where as
a self signed certificate will cause the browser to ask the user if they
trust the certificate.

For internal stuff where I can train the user to trust my CA I use self
signed certs, but for internet customers I will use a CA that the
browsers trust by default. Keep in mind that verisign is way to
expensive. If you really need a 3rd party cert you can get one from
directnic.net for $118.

Also, keep in mind that this is why you create the cert and send the
public key to the CA. At no point should the private key leave your
possession. Only the public key gets signed.

Hope that helps,

schu

Mike Barsalou wrote:
> Can someone explain the advantage of having a Certificate from Verisign or
> Thawte over having one self-signed?
>
> Mike
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>

-- 
"We'll need 2000 crickets, 4 cans of Easy Cheese, and the fluid from 18
glowsticks for this plan to work..."
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: Grant Stockly: "Sendmail 8.8.8->8.11.4"
• Previous message: Jon Reynolds: "RE: no mouse in fBSD"
• In reply to: Mike Barsalou: "Self-signed key verses Verisign or Thawte"
• Reply: Matthew Schumacher: "Re: Self-signed key verses Verisign or Thawte"
• Reply: Matthew Schumacher: "Re: Self-signed key verses Verisign or Thawte"

This archive was generated by hypermail 2a23 : Thu Jul 18 2002 - 12:47:43 AKDT