[ofw] RE: openfabrics.org ssl certificate

[Ryan, Jim]

Money well spent

-----Original Message-----
From: Smith, Stan 
Sent: Tuesday, October 02, 2007 1:31 PM
To: ofw at lists.openfabrics.org
Cc: Ryan, Jim; jeff.c.becker at gmail.com
Subject: RE: openfabrics.org ssl certificate


Would the person who setup the openib-windows Wiki or someone who is
knowledgeable of the Wiki setup please contact me w.r.t. the Wiki being
moved if it's not already at an OpenFabrics Alliance server.
>From Jan's response this could be the case, hence a certificate refresh
(aka $$ & email) is all that is needed?

Thanks Jan.

Stan.

PS: Jim this might cost you $$?



Jan Bottorff wrote:
> Hi,
> 
> The SSL certificate used for wiki.openfabrics.org is basically bogus.
> 
> 1) the embedded name is staging.openfabrics.org (to be correct it
> needs to really match what's in the url), browsers check this so then
> can authenticate who is at the other end of the url (this prevents dns
> spoofing, which can make www.citibank.com actually send some people to
> the ip address for hackers.areus.com)
> 
> 2) the certificate expired 1/19/2007
> 
> 3) the certificate is self signed, not from a real certificate
> authority (the thing that prevents hackers.areus.com from just self
> signing a certificate that has www.citibank.com is browsers only
> accept certificates that have a parent (or parents parent) that is
> rooted in trusted certificates, unless you explicitly tell your
> browser to trust a certificate
> 
> The lowest cost real SSL certificates I know of are at godaddy.com.
> The simplest one is $20/year (for a single site certificate like
> wiki.openfabrics.org). If you want a wildcard certificate (i.e.
> *.openfabrics.org) its $199/year. This validates in something like 98%
> of browsers. The $500 Verisign certificates validate in like 99.9% of
> browsers.
> 
> The process to get a real SSL certificate basically is someone who has
> appropriate access to the web server needs to generate a certificate
> signing request (csr) with a private key. You keep the private key,
> and you send the csr to the certificate authority (and perhaps tell
> them which web server you use). They will validate your identity ($20
> doesn't get much validation, like that the owner of the domain has
> your email address), sign the csr with a private key that has in it's
> parent chain one of the roots sorted in web browsers, and send you
> back the signed certificate. This certificate, along with the private
> key which you carefully kept secret, needs to then be configured in
> the web server and ssl works as intended. As I remember, the last
> time I used a low cost godaddy.com certificate, I also had to add an
> intermediate certificate in the chain to the web server, to be sent
> along with the site certificate. This is because godaddy's
> certificate is the child of a child of a validated root. The web
> servers all know how to configure these intermediate certificates and
> are not uncommon (like a big corporation would get a corporate
> subroot signed by a validated root, to use in their corporate
> certificate authority, which then signs the certificates of a
> department, and ssl is happy). 
> 
> 
> Jan
> 
> 
> -----Original Message-----
> From: ofw-bounces at lists.openfabrics.org
> [mailto:ofw-bounces at lists.openfabrics.org] On Behalf Of Smith, Stan
> Sent: Monday, October 01, 2007 10:24 AM
> To: ofw at lists.openfabrics.org
> Subject: [ofw] Resolution for missing header files in build
> processdocumented @ openib-wiki FAQ
> 
> 
> See https://wiki.openfabrics.org/tiki-index.php?page=Windows+FAQ
> 
> BTW, does anyone know how to correct the problem with this website's
> security certificate?
> It's hard to maintain a semblance of credibility when we don't even
> fix our own web page...
> 
> Thanks,
> 
> Stan.
> _______________________________________________
> ofw mailing list
> ofw at lists.openfabrics.org
> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw