At Glasgow uni we operate our own campus certificate authority, which signs server certificates for many services hosted centrally, and also services hosted in departments. The CA certificate itself is part of our standard PC builds. For people who run their own machine (or for home machines) there is a one-off task of importing the CA certificate. This single step enables secure access to *all* our SSL-enabled services, avoiding certificate warnings etc.
This scheme would be no use if for example we were selling stuff to arbitary customers out on the net. But in our environment, where the majority of our "customers" are using our services every day, it works well. Firstly, we save money on "commercial" certificates. Secondly, we would argue that verifying a certificate against the campus CA provides a client with a *higher* level of trust than could a commercial CA. In order to obtain a server certificate, two staff in Computing Service (who each know only half the key material for the CA passphrase) must agree the request is valid. We can, for example, give a very high level of assurance that Alan Flavell (hi!) is entitled to obtain a certificate for physics.gla.ac.uk. Whereas I'm not sure how a commercial CA could distinguish an arbitary member of staff (or student, or member of the public) fraudulently claiming to be responsible for IT in the Physics department, and hence decline the request. YMMV. -- Chris Edwards, Glasgow University Computing Service -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
