Menu
Is there any real reason to use a 3rd party Certificate Authority for your own email security?
( meaning using S/MIME )
I found I am able to become my own CAuthority and create my own self-signed root certificates...and they work just fine installed on my machines and mobile devices.
Is there a compelling reason to use a 3rd party's paid certificates instead of my own self-generated and signed ones that I control?
I keep thinking - the person or entity I most trust with the authority of my validated encrypted emails... is ME!... why would I let an additional un-verifiable by me entity into that chain of communication? - if who Im sending emails to is others who know me and trust that its me..? and why would I PAY them?
I can understand if the communication is between my commercial website and unknown outside individuals who don't know me and are transacting money... but for personal email? between family and well known friends or co-wokers?
Is there something else I don't understand about public-private key encryption that makes having a validated big 3rd party give me the certificates worth paying for?
I understand the need for SSL 3rd party verify when dealing with commerce on websites or trusting websites with your secure connectivity. But between individuals? it seems different...individuals that you know personally even more different. No?
756
Self-signed certificates are very different from public and private certificates because they are not signed by a certificate authority and therefore provide no trust. Instead, they are signed with their own private key.
A self-signed SSL certificate does not provide sufficient protection to the data sent by a browser to the server. Unlike the certificates issued by reliable certification authorities, the identity of a self-signed SSL is verified by its owner.
In general, the use of self-signed certificates must be discouraged as they present an inherent security risk. For example, there is no way to revoke a self-signed cert. Using an internal CA for issuing all internal certificates is a much better option, we will cover it in a future post.
While self-signed SSL Certificates also encrypt customers' log in and other personal account credentials, they prompt most web servers to display a security alert because the certificate was not verified by a trusted Certificate Authority.
The only reason to use an external CA is so that there's a shared trust root between you and another party. If you control all the machines such as in a domain, then there's no reason at all you can't use your own CA. We have our own domain CA for Exchange. It's actually a lot easier than an external CA because the servers and clients will get the CA certs automatically.
105
this article describes it pretty well:
http://www.davidpashley.com/articles/cert-authority.html
and this one is really good too - look at the sidebar commentary:
http://www.area536.com/projects/be-your-own-certificate-authority-with-openssl/
he doesn't specifically mention SMIME email - but I think it falls under this category.
I believe that in my case ( small personal security ) being your own CA is a valid and ok way to do things - as long as you can wrap your head around the process and do it with careful understanding of the limits.
I'll still wait for someone to convince me otherwise here tho... thanks for all answers everyone is helpful!
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
