[Dspace-general] DSpace repositories and self-signed certificates

[Brad Teale]

Bill,

Comments in line:

On 03/08/2007 11:14 AM, William L. Anderson wrote:
> I did a little browsing at several DSpace repositories around the world
> and many of them do not require a secure connection. So I'm wondering
> why some handles resolve to https and others to http.

This is the administrator's/institution's choice.  Since there isn't a
password or private data passing over the wire, it really isn't
necessary to provide access through SSL for viewing objects.

> I'm also wondering if presenting so-called untrusted site messages to
> patrons will make the repositories seem less trustworthy. I'm concerned
> here with the interaction experience of the users and patrons.

Most users should understand self-signed certs, and if the cert
name/address match the URL it shouldn't matter.  The sad fact is that
SSL certs from well known CAs are nothing more than a protection
"monopoly" that the industry (browser and CA industry) has supported
through misinformation.  Anyone can pay a CA to get a certificate, yet
they don't provide any real protection to the end user.  A self-signed
cert is probably more secure than a cert from the big CAs since you
control how secure the cert actually is and its valid lifetime.

The sad fact is that there are CAs out there that don't charge money
(http://www.cacert.org/ for one).  However, browser makers won't include
them by default in the CA list...probably because they (browser makers)
don't want to upset the CAs that are giving them money either under or
over the table.

My $0.02,
-Brad

-- 
Brad Teale                            Web Application Developer
Digital Library Development Lab       University of Minnesota Libraries
teale003 at umn.edu                      612-625-0473