000904.html

Submitted by Bill St. Clair on Mon, 04 Sep 2000 12:00:00 GMT
Yesterday, I read about generating and working with encryption certificates using the keytool utility that comes with the JDK. I successfully created a new self-signed key and a signing request. I requested and received a temporary signed certificate from Verisign. They give temporary certificates that last for only 2 weeks. keytool did not recoginize the signed certificate. I got another testing certificate from Thawte. This was a much easier process: paste the request, copy the certificate from the resulting web page. The Verisign process took me through a bunch of windows, asked for everything about me,and then emailed the certificate a few minutes later (they promise 1 hour turnaround, Thawte gives it to you NOW). Also, Thawte lets you decide how long your testing certificate will be valid, up to a year, and offers a bunch of different certificate formats. The Thawte certificate imported fine. Both Verisign and Thawte gave me a test-only authority certificate, so the test certificates will look valid only to a browser that has imported the test-only authority. I installed the test-only certificate in my browsers and changed Sun's sample HTTP file server to use my newly-signed certificate instead of the one they distributed. IE & Opera both complained that the certificate authority was valid and the certificate was valid, but the certificate's name was a different domain than my web server (I put my company's web server address in the certificate, but was testing on localhost). Eureka! Exactly as it should be.

This process took all afternoon, but I think I know what I'm doing with certificates now, and I know that when I get a real signed certificate I'm going to use Thawte, not Verisign. The Thawte certificates are cheaper, too ($125 vs. $349 for 40-bit, $300 vs. $895 for 128-bit). The only drawback is that Thawte requires paper to be faxed or mailed, whereas Verisign can use your Dun & Bradstreet ID to do electronic verification, if your company is registered with D&B. Now that Verisign has bought Thawte, hopefully they'll bring down their prices. Then again, the car manufacturers seem to get away with charging more for the more exclusively named models. I suppose the computer industry can do the same.

This certificate authority business seems like a pretty good racket to me. $125 for comparing the name and address on a DBA form with the name and address in a nameserver entry with the name and address in a certificate, and running some software to generate and email a confirmation number. And Verisign does Thawte one better: $349 for spending a few milliseconds of computer time to do the same with a D&B database query. Of course they've gotta pay people to keep their web servers running, but that's small change compared to millions of yearly certificate renewals. Most of their expenses must come from marketing (and payment?) to convince the browser vendors to include the CA certificates in their shipping products.

Bridge to Freedom is a web site by Peter M. Sisco on volitional science, the work of Andrew Galambos. "Volitional Science, which Galambos developed himself, sought to find a way to eliminate coercion, in all its forms, from the society of mankind." Dr. Galambos first tome in a planned 4 or 5 volume set is Sic Itur Ad Astra (This Is the Way to the Stars). Amazon's customer reviews are worth reading. I've never read such glowing reviews of any book at Amazon or anywhere else. It ain't cheap. $125 for paperback or $2500 for hardcover (not in stock anywhere). If that's too rich for you, there's an introductory book: Thrust for Freedom.

News later, in sha' allah.

Add comment Edit post Add post