[prev in list] [next in list] [prev in thread] [next in thread] 

List:       loadbalancing-l
Subject:    RE: [load balancing] Question about Wildcard certificates, DNS CN	AME (alias) and SSL accelerators
From:       "Shawn Nunley" <shawn () nunleys ! com>
Date:       2002-12-19 23:43:19
[Download RAW message or body]

Alex,

Yes, it really does come down to trust.  Without it, commerce will 
grind to a halt.  SSL has been the killer ingredient to getting this 
commerce engine started.

Why do we trust them?  Well, for one thing, we'd be dead in the water 
if someone wasn't acting in the role of certificate authority and had 
all of the consumer-friendly aspects of the model we have today.  That 
isn't to say it's perfect.  There are some frightful problems, even 
with today's SSL.  It's probably a good thing that these issues haven't 
been hyped in the media, because it would have a devastating effect on 
an already weak economy.  And for no good reason.  There is much less 
real threat from an attacker being able to decrypt an SSL session than 
there is from database break-ins where hackers nab 100,000 credit cards 
at a time.  The real problem lies with negligent site operators who 
don't keep up with patches and intrusion prevention/detection.

-Shawn



> Shawn,
> 
> aaaah.  I hadn't actually considered it from that perspective, the 
other
> emails on this subject since have also been interesting.  And I agree
> with you that there is doubtful any way to enforce the purchasing of
> licenses for all backend servers when using an acceleration device,
> especially when the communication that occurs is non-ssl or self 
signed.
> 
> Of course all this talk of them changing their restrictions in order 
to
> sustain revenue brings up the topic of why do we trust these companies
> anyway?  The only reason is that they have managed to get their names
> into all the browsers by default.  They are purely commercially
> orientated companies, sure they may be big, but as we have seen from
> financial scandals like Enron, big is not always trustworthy.
> 
> Some interesting reading is the Verisign Relying Party Agreement, 
which
> states that "YOU ARE SOLELY RESPONSIBLE FOR DECIDING WHETHER OR NOT TO
> RELY ON THE INFORMATION IN A CERTIFICATE", this and other interesting
> reading is here:
> 
> http://www.verisign.com/repository/
> 
> The problem is that installing common browsers means you have and 
trust
> these CA root certificates by default (whether you personally trust 
them
> or not), obviously you can opt out, and no doubt MS/Netscape etc EULAs
> excuse them of any wrong doings...but still...why should I trust
> Verisign?
> 
> An interesting discussion the the legal aspects of CAs and Certs
> (including a small section on actually trusting them) is here:
> 
> http://www.ilpf.org/groups/ca/app4.htm
> 
> -Alex Moore (getting off topic :))
> 
> 
> On Wed, 2002-12-18 at 16:53, shawn@nunleys.com wrote:
> > Alex,
> > 
> > The legality is proscribed by the usage agreement that you accept 
when you 
> > begin using the certificate.  This agreement is located at:
> > 
> > http://www.verisign.com/repository/agreements/secureSite.html
> 
> Privileged/confidential information may be contained within this 
> communication. If you are not the intended recipient of this 
> communication, please destroy it without copying, disclosing or 
> otherwise using its contents and please promptly advise the sender.
> Any views or opinions expressed are solely those of the author and
> do not necessarily represent those of NTT/VERIO. Thank you. 
> 
> ____________________
> The Load Balancing Mailing List
> Unsubscribe:    mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
> Archive:        http://vegan.net/lb/archive
> LBDigest:       http://lbdigest.com
> MRTG with SLB:  http://vegan.net/MRTG
> Hosted by:	http://www.tokkisystems.com
> 
> 
> 


____________________
The Load Balancing Mailing List
Unsubscribe:    mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive:        http://vegan.net/lb/archive
LBDigest:       http://lbdigest.com
MRTG with SLB:  http://vegan.net/MRTG
Hosted by:	http://www.tokkisystems.com

[prev in list] [next in list] [prev in thread] [next in thread]