nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
 ·Cox HSI
 ·Speakeasy
| reply to Jason Levine
Re: I don't use Verisign
said by Jason Levine  :
Luckily, I don't use Verisign for SSL certs for my company's sites so users shouldn't experience any of the problems while browsing with us. We use GeoTrust instead. They are much less expensive.
If you use any kind of certificates that make use of intermediate certificate authorities, you will potentially be effected some day. Using different company's certs won't insulate you from that. Eventually, all certificate authority certificates expire - even GeoTrust's.
The major benefit of buying each providers' top-end certificates is that they are signed against the root certificate authority rather than an intermediate authority. Root certificate authorities typically have a lifetime of up to twenty years. So, you'll likely never see the CA expiration problem within the lifetime of your server. Intermediate authorities typically have a maximum lifetime of seven years. So, if you've had a site for a while and have been getting your certificates issued against the same intermediate CA, you end up having this week's problem.
It's the nature of PKI. To have truly trustworthy sites, you need to set expirations on the trust devices (certificates). Root CA's about 20 years; intermediate CA's about 7 years; server certificates typically 1-2 years; and client certificates typically no longer than 1 year.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
