[ofw] RE: openfabrics.org ssl certificate

Smith, Stan stan.smith at intel.com
Mon Oct 8 09:44:57 PDT 2007 

Tzachi Dar wrote:
> One more thought about the certificate:
> This certificate is needed since we are using https and not http.
> Is there any reason not to use http?

This question has come up and I do not have a good answer?
 
My _guess_ is the SSL/https is tied into the Wiki edit functionality?

Using http: would be a big win in my mind as long as we do not lose the
Wiki edit ability
- keep it simple!

Stan.

> 
> Thanks
> Tzachi
> 
>> -----Original Message-----
>> From: ofw-bounces at lists.openfabrics.org
>> [mailto:ofw-bounces at lists.openfabrics.org] On Behalf Of Ryan, Jim
>> Sent: Tuesday, October 02, 2007 11:10 PM
>> To: Smith, Stan; ofw at lists.openfabrics.org
>> Cc: jeff.c.becker at gmail.com
>> Subject: [ofw] RE: openfabrics.org ssl certificate
>> 
>> Money well spent
>> 
>> -----Original Message-----
>> From: Smith, Stan
>> Sent: Tuesday, October 02, 2007 1:31 PM
>> To: ofw at lists.openfabrics.org
>> Cc: Ryan, Jim; jeff.c.becker at gmail.com
>> Subject: RE: openfabrics.org ssl certificate
>> 
>> 
>> Would the person who setup the openib-windows Wiki or someone who is
>> knowledgeable of the Wiki setup please contact me w.r.t. the
>> Wiki being
>> moved if it's not already at an OpenFabrics Alliance server.
>>> From Jan's response this could be the case, hence a
>> certificate refresh
>> (aka $$ & email) is all that is needed?
>> 
>> Thanks Jan.
>> 
>> Stan.
>> 
>> PS: Jim this might cost you $$?
>> 
>> 
>> 
>> Jan Bottorff wrote:
>>> Hi,
>>> 
>>> The SSL certificate used for wiki.openfabrics.org is basically
>>> bogus. 
>>> 
>>> 1) the embedded name is staging.openfabrics.org (to be correct it
>>> needs to really match what's in the url), browsers check this so
>>> then can authenticate who is at the other end of the url (this
>>> prevents dns spoofing, which can make www.citibank.com actually
>>> send some people to the ip address for hackers.areus.com)
>>> 
>>> 2) the certificate expired 1/19/2007
>>> 
>>> 3) the certificate is self signed, not from a real certificate
>>> authority (the thing that prevents hackers.areus.com from just self
>>> signing a certificate that has www.citibank.com is browsers only
>>> accept certificates that have a parent (or parents parent) that is
>>> rooted in trusted certificates, unless you explicitly tell your
>>> browser to trust a certificate
>>> 
>>> The lowest cost real SSL certificates I know of are at godaddy.com.
>>> The simplest one is $20/year (for a single site certificate like
>>> wiki.openfabrics.org). If you want a wildcard certificate (i.e.
>>> *.openfabrics.org) its $199/year. This validates in something like
>>> 98% of browsers. The $500 Verisign certificates validate in like
>>> 99.9% of browsers. 
>>> 
>>> The process to get a real SSL certificate basically is someone who
>>> has appropriate access to the web server needs to generate a
>>> certificate signing request (csr) with a private key. You keep the
>>> private key, and you send the csr to the certificate authority (and
>>> perhaps tell them which web server you use). They will validate
>>> your identity ($20 doesn't get much validation, like that the owner
>>> of the domain has your email address), sign the csr with a private
>>> key that has in it's parent chain one of the roots sorted in web
>>> browsers, and send you back the signed certificate. This
>>> certificate, along with the private key which you carefully kept
>>> secret, needs to then be configured in the web server and ssl works
>>> as intended. As I remember, the last time I used a low cost
>>> godaddy.com certificate, I also had to add an intermediate
>>> certificate in the chain to the web server, to be sent along with
>>> the site certificate. This is because godaddy's certificate is the
>>> child of a child of a validated root. The web servers all know how
>>> to configure these intermediate certificates and are not uncommon
>>> (like a big corporation would get a corporate subroot signed by a
>>> validated root, to use in their corporate certificate authority,
>>> which then signs the certificates of a department, and ssl is
>>> happy). 
>>> 
>>> 
>>> Jan
>>> 
>>> 
>>> -----Original Message-----
>>> From: ofw-bounces at lists.openfabrics.org
>>> [mailto:ofw-bounces at lists.openfabrics.org] On Behalf Of Smith, Stan
>>> Sent: Monday, October 01, 2007 10:24 AM
>>> To: ofw at lists.openfabrics.org
>>> Subject: [ofw] Resolution for missing header files in build
>>> processdocumented @ openib-wiki FAQ
>>> 
>>> 
>>> See https://wiki.openfabrics.org/tiki-index.php?page=Windows+FAQ
>>> 
>>> BTW, does anyone know how to correct the problem with this
>>> website's security certificate? It's hard to maintain a semblance
>>> of credibility when we don't even fix our own web page... 
>>> 
>>> Thanks,
>>> 
>>> Stan.
>>> _______________________________________________
>>> ofw mailing list
>>> ofw at lists.openfabrics.org
>>> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw
>> _______________________________________________
>> ofw mailing list
>> ofw at lists.openfabrics.org
>> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw

More information about the ofw mailing list