What’s The Buzz

Random posts on what’s happening in the world of Linux and Open Source Technology

Linux Goodies

Linux tips and tricks picked up on the job as a Linux Systems Engineer.

Apple Goodies

All things wonderful about Apple Computers and Devices

Microsoft Goodies

Microsoft System Engineering tips and tricks as told by a Linux Systems Engineer

XKCD

Get your daily dose of the XKCD cartoon

Home » News

ipsCA: Getting What You Pay For

Submitted by on December 23, 2009 – 1:00 amNo Comment

So the SSL certification authority (CA) ipsCA is frantically sending out email because their root CA certificate will expire on 12/29/2009, and every customer of theirs needs to get a new certificate. This is a problem for my organization, because, being an educational institution we were able to get no-cost[0] SSL certs from them. Because they were no-cost we have a lot of these certificates for test & development systems, and are now scrambling to find what will break on December 29th.

Once we find all the certificates there’s another complicating factor. We could just renew the certificates again, but the new ipsCA root certificate is not shipping as part of any browsers except Internet Explorer 8 (the next Firefox will have it when it ships in February).  Since we know nobody ever patches anything[1] nearly every browser in circulation will continue to have errors. I can only conclude that ipsCA is being run by people who don’t understand their business.[2]

There are a few lessons here:

  • Once again, free doesn’t mean it’s a good value. I’d much rather pay for a product I know will work well than have to babysit something that I paid nothing for. Though I’d be seriously upset if I were actually a paying customer of theirs.
  • It would be real nice to have a central spreadsheet or tracking mechanism for SSL certificates and their expiration dates.
  • It would also be nice to have all those SSL certificates co-terminate, so we can renew them all at once. Of course, we have an opportunity to do that now.
  • For most test & development purposes an internal CA would work just fine, since it’s simple enough for staff to import a CA into their browsers. In fact, some of my coworkers have already set it up.

Let’s just hope these points don’t get lost in the chaos.

———————————————————-

[0] I say “no-cost” because it’s now obvious to a lot of people that they aren’t free.

[1] Except toolbars, things that install toolbars, and spyware.

[2] That’s probably the most polite I’ve been when describing this situation.

This post written by Bob Plankers for The Lone Sysadmin. Unless otherwise noted it is © 2009 Bob Plankers and licensed under the Creative Commons BY-NC-SA 3.0 license.


Go to Source

Leave a comment!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.

CAPTCHA Image
*