[H-GEN] Fwd: Re: Certificate experience

David Wood dwood at plugged.net.au
Tue May 18 17:46:07 EDT 1999 

(Note reply-to: being general at humbug.org.au vs David Wood <dwood at plugged.net.au>)

Hi all,

Here is some interesting reading on problems one of our customers
encountered when trying to implement an X.509 certificate authority (CA). 
I thought that some of you might be interested.

Some background:  The customer wanted stronger authentication for a
Web-based application than username/password.  We recommended certificates
and offered to host a CA for them.  They wanted to run it themselves.  We
recommended that they use Netscape Certificate Server, since it is
(relatively) easy to set up and run.  They wanted a cheaper solution, so
we said they could use XCert but that we didn't have any experience with
it and so couldn't vouch for it.

The message below came from the poor sysadmin who got handed the project
at that point.  :-(


----------  Forwarded Message  ----------
Subject: Re: Certificate experience
Date: Tue, 18 May 1999 20:59:48 +1000
From: <snip>


On Tuesday, 18th May 1999, David Wood wrote:

>I understand from Bernadette Hyland (Plugged In's professional services
>director) that you had a difficult time implementing a CA.  I would
>consider it very valuable if you could give me some feedback on your
>experiences.  Plugged In makes every effort to keep 'real world' issues in
>mind when we recommend technological solutions.
>
>I would apprecicate any amount of time that you can give me on this.

How do you want to do this?  You could phone me and I could rattle on.
Writing it down would take too much time at the moment, but here's the
60 second summary:

-   Everything is really new.
-   We are putting together many new things simultaneously.
    - XCert contains a modified Stronghold
    - Stronghold had to be modified to do JServ
    - Real Stronghold can be modified by us, but XCert Stronghold cannot.
    - Thus we can't run XCert in the manner it is designed to run.
    - Thus, we suffer.
-   All the software is green and has bugs/deficiencies.
    -   The documentation for XCert is appalling.
    -   Default XCert screens suck, and needed patching and editing.
    -	Stronghold had/has bugs, and error logs containing meaningless msgs.
    -	Every browser has multiple major bugs.
    -	Many ISPs are garbage
    -	Many modems are garbage
    -	Windoze is garbage
-   Nobody I know knows how certificates and SSL really work.
    -	I still don't know as much about them as I want to.
    -	I don't know any place to get the information I want.
    -	I know a LOT of places to get information I DON'T want.

So, not all of this is directly related to the CA.  But being unable to
predict the result of a change in certificate allocation policy because
you don't know how your software will behave, and you certainly don't
know how the 100 or more versions of IE work can really slow things down.

But probably the major problem I had was not related to software.  It was
the perception by ... (what do you call the people that pay for it?) ...
the sponsors that this was a technology just like any other and that it
would "just work" and that we were all experts in it.  If I had known
that I would have to be "it", things would have been different.  Most
of my time was spent in experimentation, bug hunting in commercial
products, and research (standards, etc).  There are still many unknowns.

I could do it better if we did it all again.  But I think it will be some
year or 2 before this stuff works as well as I think it should.  This
doesn't stop it being a success.  But many technical issues remain
unresolved.

<sig deleted>
------------------------------------------------------------------

Regards,
Dave
------------------------------------------------------------------
David Wood                   | Telephone:  +61 7 3876 7140
mailto:dwood at plugged.net.au  | Facsimile:  +61 7 3876 7142
http://www.plugged.net.au    | PGP Key available via finger
------------------------------------------------------------------
"It is only the last and wildest kind of courage that can stand
on a tower before 10,000 people and tell them that twice two
is four."  - G.K. Chesterton

--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.

More information about the General mailing list