Archived posting to the Leica Users Group, 2002/01/20

[Author Prev] [Author Next] [Thread Prev] [Thread Next] [Author Index] [Topic Index] [Home] [Search]

Subject: Re: [Leica] OT: fishing for X.509 expertise
From: Brian Reid <reid@mejac.palo-alto.ca.us>
Date: Sun, 20 Jan 2002 09:25:34 -0800
References: <5338810.1011476068@cambric.reid.org> <001301c1a1d4$7110a720$8c5bfea9@dan14dyp3s7zcg>

It's actually pretty simple. Let me explain.

Let's suppose that you open a web site called "Wells Froggo Bank", whose 
purpose is to trick people into believing that you are Wells Fargo Bank. 
You make it look a lot like the real Wells Fargo web site. You ask for 
credit card numbers.

How can a web site establish that it is "real"? What does it mean to be 
"real"? There was a fake Vatican web site in Italy for about 3 years before 
somebody finally noticed that its theology was a little different from that 
of the Pope.

The answer is that you get a "certificate", which can prove mathematically 
that you have established your identity to whoever issued the certificate. 
If I am a real bank, I take the papers that prove I am real and go to a 
"Certificate Authority" and I get one of these online certificates and I 
put it on my web site, and bingo: secure connection. In a way it's like the 
online version of a Notary Public.

The problem is that these "Certificate Authority" companies charge a lot of 
money for this service. The going rate is about $700/year.

I'm setting up a new server that will, when I'm done, hold the LUG. I want 
to be able to host PAW photos on it, and I want people to be able to add 
and delete photographs of their own. In order to make it so that you cannot 
delete or deface one of my pictures, I need to set it all up as a secure 
server. Otherwise somebody might put up a photograph of a Republican and 
claim that Kyle took it....

The problem is that the computer industry is used to needing secure servers 
for things that involve a lot of money, so they charge a lot of money for 
the things that you need to make it be secure.

My solution to this is that I'm going to ask LUG participants just to trust 
me, without having to spend $700/year on a certificate proving that I am 
me. To do this, I created a "Certificate Authority" certificate and signed 
it myself. You can see it if you look at https://server2.waverley.reid.org/

Netscape deals with this properly. It asks you, "Do you want to trust Brian 
Reid". You can answer yes or no, and be done with it. Internet Explorer 
does not. Internet Explorer, when you point it at the certificate that I 
created, calls it a forgery and says, incorrectly, that your communications 
will not be secure. I know that it is possible to create certificates that 
Internet Explorer is happy with, and I know that it is possible to do this 
without paying money to Microsoft. But I haven't figured out how to do it 
yet. I had in the past seen that a lot of LUG members earned their Leica 
money in the computer industry, and thought that perhaps one of you would 
know how to do this.



- --
To unsubscribe, see http://mejac.palo-alto.ca.us/leica-users/unsub.html

In reply to: Message from Brian Reid <reid@mejac.palo-alto.ca.us> ([Leica] OT: fishing for X.509 expertise)
Message from "Dan Post" <dpost@triad.rr.com> (Re: [Leica] OT: fishing for X.509 expertise)