SSL certificate needed?

[Gerry Doris]

On Mon, 8 Mar 2004, Robert Hartung* wrote:

> 
> Hi all, 
>   This may be too basic a question but I would like some 
> opinions.  So here goes: 
>    
> We are setting up a small web viewer to distribute medical 
> x-ray images and reports under SSL.  We will be collecting no 
> information from the clients.  This is a one way street.  We 
> plan on using SSL, but I wonder if it is necessary to pay 
> Verisign US$1600 every two years for their certificate? 
> 
> Thanks.  All input appreciated. 
> 
> Bob Hartung 

Certificate Authorities like Verisign confirm that you are really who you 
say you are and their certificates are already preloaded on everyone's 
PC.  Redhat sticks all the commercial CA's into a file called 
/usr/share/ssl/certs/ca-bundle.crt.  Microsoft have a similar file 
somewhere.

You can accomplish the same thing by using a self signed certificate but
you have the problem of getting your self signed CA added to your client's
bundle.  When your clients first log into your server they will see a
popup saying that your certificate is unknown and will be asked if they
want to proceed.  They can add your cert to their bundle at this time.

This is quite workable if you have a limited number of known clients who
you can instruct ahead of time on what to expect/do.

-- 
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer