[colug-432] ca-cert meetups?

R P Herrold herrold at owlriver.com
Sat Oct 23 18:46:11 EDT 2010 

On Sat, 23 Oct 2010, Andy Graybeal wrote:

> Thank you for your advice.  I will chew on it.
>
> What do you suggest I do to get my company verified (we are a for-profit coop 
> corp).  We would like to have a web store and run a VPN.  Verisign is very 
> expensive.

 	Reading the startssl.org websinte comes to mind -- 
looking, it turns out the link called: startssl 
PKI (that leads to 'startssl.com) applies.  The chart at:
 	https://www.startssl.com/?app=40
lays out the function grid well

> Is StartSSL only for individuals?

no --- I have a personal one, and also the 'Class 2 
Organization Validation (StartSSL. Verified)' permission

Comparing the certificate representations between
 	https://secure.pmman.com/ using GoDaddy
 	(an active site -- it uses a godaddy cert for
 	historical reasons)
and
 	https://stronghold.pmman.com/ using StartCom
 	(a placeholder site in development, which will match:
 	https://stronghold.iwaynet.net/payment/payonline.php
 	-- we moved the latter to a StartCom cert from a
 	GeoTrust certificate, last time it expired)

I really see no material difference

The 'Subject' field is probably the only material field that 
matters, when the CA is known in the browser certificate 
deployment [that is, each 'closes the SSL lock']

secure
CN = secure.pmman.com
OU = Domain Control Validated
O = secure.pmman.com

stronghold
E = domains at 781resolution.com
CN = stronghold.pmman.com
OU = StartCom Verified Certificate Member
O = "781 Resolution, LLC"
L = Columbus
ST = Ohio
C = US
Object Identifier (2 5 4 13) = 153931-L6cw2I2MmVfV5FbI

The StartCom offers a bit more detail actually, but as it 
relates to the entity requesting the certificate, rather than 
the domain specific details, it does not convey much to a 
person not willing to think through what the 'authentications 
and verifications mean -- the 'class 2/3' non EV simply mean 
the issuing entity has authority to access certain details in 
the management of a domain; EV certificates add a 
representaton that the CA ('certificate authority') has 
confirmed to some level those representations by the entity 
submitting a key for countersign endorsement by the CA

The new 'green bar' EV -- Extended Verifications -- take an 
additonal authentication step of typing a particular 
certificate to a specific legal entity, but because they 
include the additional 'representation by the CA' that certain 
details match and are accurate, they are slower to issue as 
one has to supply, and the CA has to review the 
representations in paperwork making representations of 
authority and so forth

--------

I dodged the 'what do you suggest' question above, because I 
needed the narrative above to provide an answer.  If all one 
wants is to 'close the lock', it is least expensive to use 
StartCom with the investment of the time to figure it out. 
[note that RapidSSL, and such have certificates for $20 or so 
with some hard shopping]

<advert> If it is too hard to work out quickly or not worth 
the effort in a 'buy v build' decision, pmman will issue 
certificates for domains it manages the DNS for, for $5 each, 
on top of the annual DNS management charges of $60 (unlimited 
domains). The economics favor use by folks running lots of 
domains through that interface, and pulling lots of 
certificates, which is our intent -- we 'whitebox' these 
services for ISPs </advert> Looking at a management console, I 
see several thousand records for several hundred active 
domains

-- Russ herrold

More information about the colug-432 mailing list