[ale] SSL Certificates

Michael H. Warfield mhw at WittsEnd.com
Thu Sep 20 11:06:56 EDT 2012 

On Thu, 2012-09-20 at 05:45 -0400, Jim Lynch wrote:
> On 09/17/2012 01:02 PM, mike at trausch.us wrote:
> > So... unless we're defining "LOTS" as "2 class 2 certs per year", I have
> > to say that StartSSL is less expensive almost universally.:-)
> Could someone please explain what those classes mean in practical terms 
> for those unenlightened of us.  I know that https sites need certs but 
> what class?  And what are the other classes used for?

This gets really ugly, quite frankly.

Certs are basically containers for public keys, associated attributes,
constraints, types and signatures.  In this particular case, the "class"
of the cert is referring to the extent of the validation and,
implicitly, the degree of trust you can assume in it.

In the early days of SSL, I had to prove to Verisign that I had the
rights to apply for a cert for my organization "Thaumaturgy and
Speculums Technology".  Back in those days, merely having a D&B listing
was sufficient and I had certs from them until they quadrupled the price
on them.  That would sort of be the equivalent of a "class 2 cert" from
StartCom.  They actually do some validation on you.

Their "class 2 certs" also allow for wildcards (*.domain), multiple
domains (subjectAltName in X.509 lingo) and code signing (extended
attribute).  Their "class 1 certs" are minimal verification and more
limited functionality (no wild cards, alt names, or code signing) but
good for minimal web servers.  They also offer EV (Extended Validation)
certs which require a third party verification of who you are.

Their Class 1 and Class 2 certs are OV certs (Organizational Validation)
certs.  OV certs also mean "user" certs for E-Mail purposes.  There are
a couple of other categories of certs such as DV (Domain Validation)
certs which are intended to tie to your domain much like DNSsec would
(except they sell you a product instead of you doing it for yourself for
free through your registrar).  EV certs are also sort of a category as
well as a level of cert.  You could almost consider them to be a "class
3" cert the way StartCom puts  it.  They're like a class 2 cert only
they add the requirement of that third party verification.

http://www.royaltynetworks.com/blog/2012/03/05/the-3-types-of-ssl-certificate-validation/

All of these certs can have different X.509 v3 extended attributes such
as server, client, serverAuth, and/or email types plus a variety of
constraints such as "CA".

> Thanks,
> Jim.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20120920/42c15869/attachment.bin

More information about the Ale mailing list