Jean-Marc Desperrier wrote:You're using a bunch of technologies here, php, shell running
What CA uses a single technology?
It's not so the fact of using several, but that all of them have 'frequently badly used' tag for me.
Moreover, it's possible I got it wrong somewhere, but what I see seems
You're making the assumption that what you download is being used in production, what you download is the main website + some production scripts + some non-production scripts to make life easier for those wanting to help out with development.
Could you have a visible page on the site explaining such things, and what your architecture is ? I know I could hardly trust you before I have some idea of what your architecture/procedures are and I did not see such a thing on the site.
There is another point that is really a bad idea by itself, but that the previous points makes even worse, it's the fact your root CA directly signs the certificates.
Chicken and egg problem, it's difficult to get people to import a single certificate, and near impossible to get them to import multiple certs unless they already exist in the browser.
They *never* should import intermediate cert in their browser.
The web server *must* properly set up in addition to the root the intermediate ca used to emit his cert. Which is more work, and which they often get wrong.
But you have the advantage over some more well know CA that the client will not randomly have the required intermediate certs already installed, so the admin of the web server will probably see instantly that his config is wrong, and pay some more attention to the config page.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
