Re: I don't use Verisign in

Re: I don't use Verisign in http://www.dslreports.com/forum/r9023438 en Tue, 24 Nov 2009 04:01:01 EDT Tue, 24 Nov 2009 04:01:01 EDT Re: I don't use Verisign http://www.dslreports.com/forum/remark,9024875 Jason Levine :

said by nixen :
If you use any kind of certificates that make use of intermediate certificate authorities, you will potentially be effected some day. Using different company's certs won't insulate you from that. Eventually, all certificate authority certificates expire - even GeoTrust's.

Ah, thanks for the clarification. I just checked and it seems that GeoTrust's cert expires in 2018. So I'll have to worry about this in 14 years (if I'm using the same server and haven't updated the cert).
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/]]> http://www.dslreports.com/forum/remark,9024875 Fri, 09 Jan 2004 08:44:37 EDT Re: I don't use Verisign http://www.dslreports.com/forum/remark,9023438 nixen :

said by Jason Levine :
Luckily, I don't use Verisign for SSL certs for my company's sites so users shouldn't experience any of the problems while browsing with us. We use GeoTrust instead. They are much less expensive.

If you use any kind of certificates that make use of intermediate certificate authorities, you will potentially be effected some day. Using different company's certs won't insulate you from that. Eventually, all certificate authority certificates expire - even GeoTrust's.

The major benefit of buying each providers' top-end certificates is that they are signed against the root certificate authority rather than an intermediate authority. Root certificate authorities typically have a lifetime of up to twenty years. So, you'll likely never see the CA expiration problem within the lifetime of your server. Intermediate authorities typically have a maximum lifetime of seven years. So, if you've had a site for a while and have been getting your certificates issued against the same intermediate CA, you end up having this week's problem.

It's the nature of PKI. To have truly trustworthy sites, you need to set expirations on the trust devices (certificates). Root CA's about 20 years; intermediate CA's about 7 years; server certificates typically 1-2 years; and client certificates typically no longer than 1 year.

-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron"]]> http://www.dslreports.com/forum/remark,9023438 Fri, 09 Jan 2004 01:10:30 EDT I don't use Verisign http://www.dslreports.com/forum/remark,9018797 Jason Levine : Luckily, I don't use Verisign for SSL certs for my company's sites so users shouldn't experience any of the problems while browsing with us. We use GeoTrust instead. They are much less expensive.]]> http://www.dslreports.com/forum/remark,9018797 Thu, 08 Jan 2004 17:24:33 EDT