Ilya Konstantinov wrote:
No they aren't indeed. But at least the browsers I'm aware of (IE, Firefox) allow usersThey don't seem to be part of the Certificate Authorities lists
provided with common mailers (Outlook Express, Mozilla...). Therefore,
they're as worthy as a "Certificate Authority" I can create with
openssl or Win2K Certificate Manager in 5 minutes.
to add new CA's, and that's what CaCert is counting on.
The idea behind certificate authorities is this:The "Free mail cert" Thawte plan suggested above seems to take similar identification
1. Only trusted large bodies, with secure authorization procedures(1)
are part of the lists provided with common software.
2. They assure your identity by secure means (seeing your ID etc.).
3. They assert that you are whoever you claim you are by signing your
certificate.
steps to the free one, so no disadvantage in that area for CaCert.
The only difference I think I identify is that CaCert allows you to get also SSL server
certificates and certificates for other proposes. Not to mention that as far as I've seen
the certificate I got from Thawte today will expire in a year - who knows what different
conditions would I have to meet next year to get another cert?
It's true that they are not in the default lists of existing browsers but on the other hand
their certificates can be used in many more ways than just for signing e-mail, if I got
everything right.
(Come to think of it - it's not unreasonable to expect them in Firefox/Konqueror's
default CA list some day soon)
And before someone gets a feeling that I attack the original idea - I didn't. I just though
that while we in the business of signing certs that maybe people would be interested in
yet ADDITIONAL way to sign certs.
--Amos
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
