Shorewall Certificate Authority
(CA) Certificate
|
Given that I develop and support Shorewall without asking for any renumeration,
I can hardly justify paying $200US+ a year to a Certificate Authority such
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
I am who I am. I have therefore established my own Certificate Authority (CA)
and sign my own X.509 certificates. I use these certificates on my web server
(http://www.shorewall.net) as well
as on my mail server (mail.shorewall.net).
X.509 certificates are the basis for the Secure Socket Layer (SSL). As part
of establishing an SSL session (URL https://...), your browser verifies the
X.509 certificate supplied by the HTTPS server against the set of Certificate
Authority Certificates that were shipped with your browser. It is expected
that the server's certificate was issued by one of the authorities whose identities
are known to your browser.
This mechanism, while supposedly guaranteeing that when you connect to https://www.foo.bar
you are REALLY connecting to www.foo.bar, means that the CAs literally have
a license to print money -- they are selling a string of bits (an X.509 certificate)
for $200US+ per year!!!I
I wish that I had decided to become a CA rather that designing and writing
Shorewall.
What does this mean to you? It means that the X.509 certificate that my
server will present to your browser will not have been signed by one of the
authorities known to your browser. If you try to connect to my server using
SSL, your browser will frown and give you a dialog box asking if you want
to accept the sleezy X.509 certificate being presented by my server.
There are two things that you can do:
- You can accept the www.shorewall.net certificate when your browser
asks -- your acceptence of the certificate can be temporary (for that access
only) or perminent.
- You can download and install my (self-signed) CA
certificate. This will make my Certificate Authority known to your browser
so that it will accept any certificate signed by me.
What are the risks?
- If you install my CA certificate then you assume that I am trustworthy
and that Shorewall running on your firewall won't redirect HTTPS requests
intented to go to your bank's server to one of my systems that will present
your browser with a bogus certificate claiming that my server is that of
your bank.
- If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to https://www.shorewall.net,
the server you are connecting to might not be mine.
I have my CA certificate loaded into all of my browsers but I certainly
won't be offended if you decline to load it into yours... :-)
Last Updated 11/14/2002 - Tom Eastep
Copyright © 2001, 2002 Thomas M. Eastep.