Talk:Certificate Lifecycle

From OpenSSLWiki
Jump to: navigation, search

I don't believe this is correct: "Certificates are NOT free" Obtaining a certificate from a well known Certificate Authority typically requires that you pay a fee.

StartCom issues free Class 1 Certificates. The cost is in revocation, and Startcom is unique in that they charge on the back side if revocation is required, rather than the front side like most CAs.

For completeness, Class 1 is the lowest class, while Class 3 or 4 (or whatever N they choose - its arbitrary and meant to baffle the purchaser) is the highest class. I think "Extended Validation" or EV Certificates are usually about a Class 3.

Jeff ___

I don't believe this is correct: A certificate knows from its creation what job it will do. There is no way a certificate issued for authenticating a server can be used in a browser to identify a user. Certificates have a purpose.

If you enforce Basic Constraints, Key Usage (KU), and Extended Key Usage (EKU), most PKIs break. Confer: "Code Signing: Breaks for Device when enforcing Basic Constraints on WWDR CA," http://openradar.appspot.com/radar?id=3011403. There's tens of thousands of other examples.

Jeff ___

I don't believe this is correct: "A Certificate without a private key is like glasses without eyes" A certificate does not contain the private key. If you have a certificate and you lose your private key, then the certificate is unusable.

After a signing key is retired, a CPS will often state the private key is destroyed to ensure no new signatures. The certificate (and its public key) are still needed for signature verification.

Jeff

___


- "unusable to prove your current identity" - would be better.

I do agree with all those remarks; but as usual when doing simplicifications for beginners ( see Category:Beginner ), many subtilities are left out.

When you face questions like : Can i renew a certificate ? And user does not know he needs a private key do so. Why my browser refuses to install a Client Certifcate in my browser ? because it is a Certificate and not a PFX containing private key Why i can't connect to my server in https even after installing a Certificate ? Because you didn't install a private key...

You quickly understand that in mind of users beginning with Certificate use, Certificate itself means everything needed to prove identity, ownship and anything. I fell important to recall that Private Key is the key point of Certificate usage.

I will put all those comment in Discussion tab of Certificate LifeStyle...

Philippe