Any real downside to using self-issued certs when dealing with known agents?

views:

answers:

+4 Q:

Any real downside to using self-issued certs when dealing with known agents?

Hello.

I'm setting up a web service which will only be used by a limited number (< 100) of known agents (business partners etc.).

Because I am not public facing, do I face any real downside to using self-issued certs as opposed to the much more costly route of using a known CA?

Edit: I should clarify that the primary purpose we hope to get out of the certificates is to fulfil the 2nd factor in two-factor authentication (password for what-you-know, X.509 cert for what-you-have)

+1 A:

With a self-signed cert, the users will be warned that the certificate is not trusted by the browser until they manually add the signing certificate into their certificate cache, or will have to click to accept the fact that the certificate may be untrusted.

With a known CA such as Verisign, the signing certificate will typically already be preinstalled on their PC, so the user will receive no prompt

Also a security consideration (from Wikipedia - haven't encountered this myself): "Self-signed certificates cannot (by nature) be revoked, which may allow an attacker who has already gained access to monitor and inject data into a connection to spoof an identity if a private key has been compromised. CAs on the other hand have the ability to revoke a compromised certificate, which prevents its further use."

Kris C 2010-05-29 12:00:35

Having the users install our root certificate into their browser / truststore shouldn't be a problem; we are in constant contact already.

Neil McF 2010-05-29 12:04:38

Might well work out fine for you doing it that way then - there isn't much of a saving tho - SSL certs are pretty cheap (in business terms anyway)

Kris C 2010-05-29 12:06:35

Also you can get 'extended validation' certificates that the browser can use to change the colour of the address bar to green etc, to help verify the website is the intended destination - not sure if this can be done with self signed. May not be a consideration in your situation, but another thing to think about

Kris C 2010-05-29 12:08:08

I was about to respond that this is strictly for web-services, but that's the kind of thinking that gets people painted into corners. Will take that into consideration.

Neil McF 2010-05-29 12:19:17

I would think most security-conscious people would hesitate to import some guy's root certificate. Heck, i have certificates i've generated MYSELF that i don't want to import. And a lot of software will refuse to deal with a server whose cert isn't issued by a CA it (or the OS) trusts.

Seriously, check out http://www.startssl.com. They offer free certificates, which appear to be pretty well supported by most common browsers and OSes. It's a lot easier than even trying to tell people how to install your root cert.

cHao 2010-05-29 12:01:54

Howdy. In checking the URL, what is the advantage of using StartSSL vs. self-generated for non-public web sites? The information they are verifying should already be known and trusted by our agents.

Neil McF 2010-05-29 12:24:17

The advantage is that their CA cert is already trusted by a bunch of software, so the ones they sign will be too -- with no extra work on your part. Nice side bonuses are that you don't (accidentally or otherwise) teach people to consider installing some schmoe's root certificate as standard practice, and that you don't come off looking like a cheapskate, or worse, a scam artist.

cHao 2010-05-29 12:32:11

Thanks. We're going to need to have users install client-certs regardless though (the primary purpose of the certs to function as a digital token). So long as we're not comprimising security, I don't think there will be any objections to us being thrifty.

Neil McF 2010-05-29 12:37:19

+4 A:

There's no real downside, but it's easier to use a private CA in those circumstances. That private CA has a self-signed certificate, and authorizes everything else in your closed world. Write down a policy (you know, on a piece of paper) for who gets their certificate signed and how you go about doing the signing, and you'll be operating like the “real” CAs do.

But if there are external business partners involved, it's probably easier to just use a normal CA. You can get your service certificates signed for very little so cheap-skating on them is just not really worth it. It only becomes a hassle when you start to want to do things like delegated authority and things like that; at that point, you want to start reading about OAuth and FOAF+SSL. And maybe other things too; it's a deep rabbit-hole.

Donal Fellows 2010-05-29 12:04:18

Setting up your own CA for this is the correct approach. There's just one certificate to validate and then, for this scenario, you gain all the benefits of CA-signed certificates at no cost.

Anonymouse 2010-05-29 12:11:58

Not all the benefits. A CA-signed certificate says, at least, "i'm in charge of the domain this cert is for". A self-signed certificate says either "I'm a cheapskate and didn't know there are free SSL certs", or "I'm a scammer".

cHao 2010-05-29 12:20:20

@cHao: Not really. It depends on the policy of the CA, which you have to go and read to understand. The only special thing about the CA certs built into the browser (apart from the fact that they're already there) is that someone else has read the policies and decided that the CA is “good enough” to guarantee e-Commerce transactions. But in a closed domain, a restricted CA or self-signed certificate *where the other participants know it already out-of-band* is even safer. What *isn't* good is trusting any self-signed cert, since anyone at all can make one.

Donal Fellows 2010-05-29 12:26:41

ansaurus

tags:

views:

answers:

Any real downside to using self-issued certs when dealing with known agents?

related questions