Re: DCM cert for Apache settings

Nathan,

On 3/8/2017 12:35 PM, Nathan Andelin wrote:

Same with true for web services. Web service clients and servers don't mess
with certificate authorities. Why do browsers?

Not sure that I agree that SMTP and Web Services don't care about CAs, but...

Because SSL was originally created with the thought of opening up stores where you could buy items with credit cards over the Internet.

The problem is, having the site encrypted does absolutely no good if you send your credit card number to a criminal's web site. Sure, your card is nicely protected as its sent, but if it's sent to a criminal, it's still a big problem.

The job of a certificate authority is to verify that you really are who you say you are. So if you claim to be www.amazon.com, the certificate authority will not issue a certificate unless you somehow "prove" it. (They might call Amazon's phone number, for example, or something similar... depending on how serious they take it.)

If you go to Amazon.com, but get a certificate for another site, you can be sure that someone someone is intercepting the session and redirecting it somewhere else.

You might say "but, nobody does that!" Yeah, and there's a reason... if they did, it wouldn't match the CA, and so the customer would not be fooled. You can bet that if SSL wasn't so picky about things, this would be a common problem.

Typically, the only time CAs aren't used is when SSL is set up internally within an organization (vs. the public Internet). Here you can reasonably trust things since you know exactly who you are dealing with. Or, with client-side certificates. Client-side certificates are almost never used in SSL, but when they are the certificates are typically used by whomever is running the server, since the purpose is to make sure only people they allow to use the site can log in. So a public CA where anyone can get a cert doesn't make much sense for client-side.

-SK