Duane wrote:
Nelson Bolyard wrote:
Let us suppose for this discussion that, within the next 90 days, cacert.org gets into the trusted certs list, and consequently, (If I understand what cacert.org is offering) you can then get a legitimate SSL server cert from a trusted CA for free.
Why then would you continue to want or need to issue your own server certs?
Cost. The CACerts that are above and are free
are only costless in terms of dollars sent to
Duane. There is still the cost of setting up
the server.
Which is DWARFED by the cost of setting up the clients!
What the server should do is start up and generate its own self-signed cert on install time, so it's up and running straight away. That's free to the server operator, or, it's indistinguishable in cost to the installation of SSL server in the first place.
You set up the server once. If you set it up with a cert that is already recognized by the client, the client setup cost to use that server is zero. If you set the server up with a self-signed cert, every client must be setup to use it. That absolutely dwarfs the few extra seconds required at the time the server is setup.
I'm not sure it is easy to graft WoT onto
SSL. For a start, x.509 doesn't support
multiple sigs on the certs.
I *think* Duane's model is that he will issue a cert when some number of PGP signatures have appeared on a PGP key on some PGP server. Duane please correct that if that statement is mistaken.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
