delegating SSL certificates

Leichter, Jerry leichter_jerrold at emc.com
Mon Mar 17 10:06:17 EDT 2008


| >> So at the company I work for, most of the internal systems have
| >> expired SSL certs, or self-signed certs.  Obviously this is bad.
| >
| >You only think this is bad because you believe CAs add some value.
| 
| Presumably the value they add is that they keep browsers from popping
| up scary warning messages....
Apple's Mail.app checks certs on SSL-based mail server connections.
It has the good - but also bad - feature that it *always* asks for
user approval if it gets a cert it doesn't like.

One ISP I've used for years (BestWeb) uses an *expired* self-signing
cert.  The "self-signed" part I could get around - it's possible to
add new CA's to Mail.app's list.  But there's no way to get it to
accept an expired cert automatically.  So ... every time Mail.app
starts up, it complains about the cert and asks me to approve it.
This stalls Mail's startup, and it fails to pick up mail - from any
server - until I tell it, OK, yes, go ahead.  The cert has now been
expired for over 2 years.  (You might well wonder why, if you're going
to use a self-signed cert, you *ever* let it expire - much less cut one,
like theirs, with a 1-year lifetime.  Since all you're getting with a
self-signed cert is "continuity of identity", expiration has no
positives, just negatives.  Perhaps they were planning to go out of
business in a year? :-) )

I've been in touch with BestWeb's support guys repeatedly.  Either
they just don't understand what I'm talking about, or I'll finally
get someone to understand, he'll ask me for details on which cert
is expired, I'll send them - and then nothing will happen.

Clueless.  Just to add to the amusement, *some* of their services - Web
mail, and through it tuning of their spam filters - are accessible
*only* through HTTP, not HTTPS.  These use the same credentials....

Perhaps I should just go with the flow and use unencrypted connections.
(Or get over my inertia, stop trying to get them to fix things, and
drop my connections to them at the next renewal....)

							-- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list