[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificates: self-signed vs Verisign



Shan,

There are many advantages to a third party certificate authority
providing certificates for a trading partner community.

Digital signatures are verified via the public key that is contained
in an X.509 cert.

A CA gives its digital signature on an X.509 cert to give a level of
authenticity to the identity of the entity holding the cert.

Verisign is a CA that is one of a very few that has passed the
California requirements for registration to legally provide CA
services.

A CA like Verisign will keep X.509 certs in its directory service for
many years... long past the expiration date of the cert.  This will
allow subscribers to download certs that have expired so that digital
signatures can be checked on documents and transactions years after
the original digital signature has been applied.

A digital signature is growing in importance especially with the
latest digital signature laws enacted at the federal and state levels.

As you know, Shan, a digital signature provides authenticity,
non-repudiation, and integrity to a electronic commerce transaction.
Coupled with state and federal laws and the use of a certified CA's
X.509 cert, an electronic business transaction carries all the legal
power of any other type of transaction (such as a paper contract with
a notary public certified "wet" signatures).

I am in favor of utilizing a third party CA rather than self-signed
certs because of the additional benefits the CA provides, including
the legal issues.

In my humble opinion, of course.

Have a good weekend.

-Dave Darnell





-----Original Message-----
From: Shan Harter [mailto:sharter@xxxxxxxxxxxxx]
Sent: Saturday, September 30, 2000 4:37 PM
To: 'Briley, Robert'; ietf-ediint@xxxxxxx
Subject: RE: Certificates: self-signed vs VeriSign


Does it really matter if its VeriSign or by Cyclone, or IDX or
ECXpert,
Priminos/Templar. As long at the trust relationship between the two
parties has been agreed upon?

Vcommerce will probably use IDX's generated certificates (AKA
Cyclone).

Shan

-----Original Message-----
From: Briley, Robert [ mailto:Robert_Briley@xxxxxxxxxxxxxxxx
<mailto:Robert_Briley@xxxxxxxxxxxxxxxx> ]
Sent: Friday, September 29, 2000 8:20 AM
To: ietf-ediint@xxxxxxx
Subject: RE: Certificates: self-signed vs VeriSign


As we start to pole our trading partners on their certificate
preference,
the mix is about split.  However, when we ask them the reason behind
their
preference, they don't usually have an explanation other than "well
that

just seemed to be the best way".

Rob

Robert Briley
Senior Network Engineer
BridgePoint, Inc.
robert_briley@xxxxxxxxxxxxxxxx

> -----Original Message-----
> From: Eric D. Williams [SMTP:eric@xxxxxxxxxxx]
> Sent: Friday, September 29, 2000 9:25 AM
> To:   ietf-ediint@xxxxxxx
> Cc:   'Totman, Philip PL'
> Subject:      RE: Certificates:  self-signed vs VeriSign
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all,
> I agree with Philip, however the use of self-signed will (in the
short

> term) be
> limited to those "trading partners" who choose to operate in that
> modality.  I
> believe most will be motivated as EDIINT moves forward to choose
> externally
> signed certs.  I am sure the current CA's will follow these
developments
> closely and move quickly and deploy services in that space.
>
> - From that prospective, however, it is very important to establish
"good
> practices" for using self-signed certificates NOW, regardless of the
> marketplace developments.  I would be interested in some discussion
on
the
>
> parameters (read legal framework) trading partners will establish
for
that
> type
> of activity, this will at least give us some practices to draw from
> concerning
> self-signing and authenticity.
>
> Eric Williams, Pres.
> Information Brokers, Inc.    Phone: +1 202.889.4395
> http://www.infobro.com/ <http://www.infobro.com/>         Fax: +1
202.889.4396
>               mailto:eric@xxxxxxxxxxx <mailto:eric@xxxxxxxxxxx>
>            For More Info: info@xxxxxxxxxxx
>                     PGP Public Key
>    http://new.infobro.com/KeyServ/EricDWilliams.asc
<http://new.infobro.com/KeyServ/EricDWilliams.asc>
> Finger Print: 1055 8AED 9783 2378 73EF  7B19 0544 A590 FF65 B789
>
>
> On Friday, September 29, 2000 12:55 AM, Totman, Philip PL
> [SMTP:Totman.Philip.PL@xxxxxxx] wrote:
> > Mark,
> > BHP Steel Australia are about to embark on rolling out an EDIINT
> compliant
> > product to its major trading partners. BHP is commited to Sterling
> Commerce
> > solutions (Gentran) and have chosen the Internet Data Exchange
(IDX)

> product
> > that has been sourced from Cyclone.
> >
> > We are planning to generate self-signed certificates and we expect
that
> most
> > trading partners will be happy to follow suit until this type of
EDI

> trading
> > develops and requires external certificate management.
> >
> > regards
> >
> > Philip Totman
> > __________________________________________________
> > CSC Technology Services (formerly BHP IT)
> > CSC
> > 151 King Street, Warrawong NSW 2502
> > Ph: (02) 4275 5436   Email: totman.philip.pl@xxxxxxxxxx
> >
> >
> >
> > > ----------
> > > From:
Mark_Mueller@xxxxxxxxxxxx[SMTP:Mark_Mueller@xxxxxxxxxxxx]
> > > Sent:     Friday, 29 September 2000 7:04
> > > To:       ietf-ediint@xxxxxxx
> > > Cc:       Leo_Burstein@xxxxxxxxxxxx;
Robert_Mytkowicz@xxxxxxxxxxxx

> > > Subject:  Certificates:  self-signed vs VeriSign
> > >
> > > Folks,
> > >
> > > We're just getting started with EDIINT and we're trying to get a
sense
> for
> > > whether other
> > > companies are using self-signed certificates or certificates
from
a CA
> such
> > > as VeriSign.
> > >
> > > What seems to be the trend out there?  Would people look askance
at
> > > self-signed certificates?
> > >
> > >     Mark
> > >
> > >
> > EOM
> >
> > NOTICE - This message contains information intended only for the
use
of
> the
> > addressee named above.  It may also be confidential and/or
privileged.
> If
> > you are not the intended recipient of this message you are hereby
> notified
> > that you must not disseminate, copy or take any action in reliance
on
> it.  If
> > you have received this message in error please notify
> postmaster@xxxxxxxx
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQA/AwUBOdSYKAVEpZD/ZbeJEQJCBQCgrpdp65PmqxAlrZeFeWqK+jy4SEcAn1ev
> 4P3ZmJjGP9piZRpZnUXsOro3
> =BrJV
> -----END PGP SIGNATURE-----