Changes between Version 1 and Version 2 of faq/security/what-is-an-ssl-certificate


Ignore:
Timestamp:
Aug 22, 2007, 1:48:29 AM (13 years ago)
Author:
Daniel Kahn Gillmor
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • faq/security/what-is-an-ssl-certificate

    v1 v2  
    1111 * The certificate has expired. When Dotster/Thawte issues a certificate, it comes with a time frame, usually a year. Once the year is up. the certificate will have "expired" requiring us to purchase a new one. If we don't purchase the new one before the old one expires, your browser may report this problem.
    1212 * The domain you are connecting to does not match the domain on the certificate. Often we run many domains on the same server. For example, the  secure.mayfirst.org runs on the same server as wiki.mayfirst.org (our internal wiki site). Our certificate is issued to secure.mayfirst.org. So, if I try to access https://wiki.mayfirst.org, my browser will report the discrepancy. As long as the domain on the certificate is one that I trust, I generally continue connecting to the site.
    13  * The certificate was issued by an authority that you are not configured to trust. Often times, rather than shelling out bucks to pay a corporation to prove that you are who you say you are, web site administrators will sign their own certificates. While your browser is probably configured by default to trust Dotster/Thawte, it is not configured to trust everyone. In these situations, you should contact the administrator of the site and ask them how to configure your browser to trust their certificate authority.
     13 * The certificate was issued by an authority that you are not configured to trust. Often times, rather than shelling out bucks to pay a corporation to prove that you are who you say you are, web site administrators will sign their own certificates. While your browser is probably configured by default to trust Dotster/Thawte, it is not configured to trust everyone. In these situations, you should contact the administrator of the site and ask them how to configure your browser to trust their certificate authority.  Alternately, you could ask your browser to accept the specific certificate offered for their site, thereby avoiding trusting another potentially untrustworthy certificate authority.
    1414
    1515This is the way the system works now. To go deeper, you may be interested in an [http://lair.fifthhorseman.net/~dkg/tls-centralization/ article] published by Daniel Kahn Gillmor that offers some criticism about this model of security.