

SSL in Plain English - sr3d
http://alexle.net/archives/309

======
thwarted
Pretty bog standard run-through-the-openssl-commands run down.

 _In my case, GoDaddy want to have 2048 (2KB) for the strength for the private
key. For personal use, a key strenght of 1024 bits (1KB) would be sufficient._

1024 bits is not 1KB, 1024 bits is 128 bytes, or one eighth of a KB. 2048 bits
is 256 bytes, or one quarter of a KB.

~~~
sr3d
Doh! I got my bit-size math wrong. Thanks for pointing that out. Post is
updated now.

Regarding your "Pretty bog standard run-through-the-openssl-commands run
down", well, I spent quite a bit of Googling around and have yet run across
any decent articles that explain what the heck all the commands mean. So I do
hope my "run-through-the-openssl-commands-run-down" article helps someone
clear up the confusion.

------
sr3d
Does anyone know if it's true that root CAs pay browser vendors to include
their certs in the browsers by default?

~~~
chmike
It depends. Some ask a payment others don't. They generally require an audit
of the CA which is what is charged for. The audit is preferably done by an
independent company specialize in such activity.

CACert provide free certificates and are trying hard to get their root CA
certificate approved. By the time it takes I assume it is very difficult.

~~~
sr3d
Do you know any details about the auditing process that the independent
company would perform of a CA? Since the whole signing SSL business is built
around keeping a 256-byte or so private key private then this file would
probably be protected pretty well.

~~~
viraptor
Have a look at <http://wiki.cacert.org/InclusionStatus> and follow the links
in comments. There's a lot of information about different audits done and
planned, lists of rules, discussions about what happened in the past, etc.

Direct link to Mozilla rules is
<http://www.mozilla.org/projects/security/certs/policy/>

------
acabal
A little disappointed--I thought this was going to be a top-level explanation
of how SSL works to protect data, but instead it was a step-by-step "how to
buy a SSL cert for your server" that honestly wasn't even that clear or
concise.

~~~
sr3d
Sorry for making you dissapointment :) For this particular post, I didn't want
to go into the nitty gritty details about public key cryptography. I'm more
interesting in the practical application of SSL since there is truly a lack of
a good general source to understand what's going on for applying a SSL cert
and why exactly each step is needed.

Most regular people when it comes to SSL will usually don't have a good
background into encryption, but they want to have something that works and
help them implementing on the sites. Especially with SSL so cheap ($12.99 on
GoDaddy), there should not be any reason not to implement it. It's like buying
a new car, sometimes you don't really need to know how the engine works, but
just know how to drive your new car by inserting the key and hitting the gas
pedal.

My model of this post is after Feynman: explain it in a way to help peek the
interests of the reader. Once the "why" is explained (maybe not as clear or
concise as I'd want), the reader would have a clearer picture of the whole SSL
business. And if he/she wants to find out more about the underlining
encryption algorithm, there's always Wikipedia available for further reading.

------
wildmXranat
Or otherwise about an industry that rakes in huge profits by executing a few
command on your .crt

I wonder when or if we will get a chance to see a community signed and trusted
SSL certificate provider.

~~~
lolipop1
Not community, but there is <http://cert.startcom.org/> .

You can also do your own (OpenSSL has everything you need).

And for a community one, you'd still need a verification mechanism and a
protection mechanism for the roots; both of which could be hard to do in a
volatile environment. <http://www.cacert.org/> Seems to be that, don't think
they are included in any browsers by default though (it's not in mine at
least).

