shorewall_code/STABLE/documentation/Shorewall_CA_html.html
2003-02-08 20:48:47 +00:00

95 lines
3.9 KiB
HTML

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall Certificate Authority</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
(CA) Certificate</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Given that I develop and support Shorewall without asking for any renumeration,
I can hardly justify paying $200US+ a year to a Certificate Authority such
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
I am who I am. I have therefore established my own Certificate Authority
(CA) and sign my own X.509 certificates. I use these certificates on my list
server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
which hosts parts of this web site.<br>
<br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
part of establishing an SSL session (URL https://...), your browser verifies
the X.509 certificate supplied by the HTTPS server against the set of Certificate
Authority Certificates that were shipped with your browser. It is expected
that the server's certificate was issued by one of the authorities whose
identities are known to your browser. <br>
<br>
This mechanism, while supposedly guaranteeing that when you connect to
https://www.foo.bar you are REALLY connecting to www.foo.bar, means that
the CAs literally have a license to print money -- they are selling a string
of bits (an X.509 certificate) for $200US+ per year!!!I <br>
<br>
I wish that I had decided to become a CA rather that designing and writing
Shorewall.<br>
<br>
What does this mean to you? It means that the X.509 certificate that my
server will present to your browser will not have been signed by one of the
authorities known to your browser. If you try to connect to my server using
SSL, your browser will frown and give you a dialog box asking if you want
to accept the sleezy X.509 certificate being presented by my server. <br>
<br>
There are two things that you can do:<br>
<ol>
<li>You can accept the mail.shorewall.net certificate when your browser
asks -- your acceptence of the certificate can be temporary (for that access
only) or perminent.</li>
<li>You can download and install <a href="ca.crt">my (self-signed) CA
certificate.</a> This will make my Certificate Authority known to your browser
so that it will accept any certificate signed by me. <br>
</li>
</ol>
What are the risks?<br>
<ol>
<li>If you install my CA certificate then you assume that I am trustworthy
and that Shorewall running on your firewall won't redirect HTTPS requests
intented to go to your bank's server to one of my systems that will present
your browser with a bogus certificate claiming that my server is that of your
bank.</li>
<li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to https://mail.shorewall.net,
the server you are connecting to might not be mine.</li>
</ol>
I have my CA certificate loaded into all of my browsers but I certainly
won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas
M. Eastep.</font></a></font></p>
<br>
<br>
<br>
</body>
</html>