this is a very well known problem for me too and not off topic. The idea of centralized keyservers with all certificates is theoretical good but otherwise not a really good idea because many certificates include emailaddresses. If we publish them on centralized servers then spammers will start to download the certs and extract the emailaddresses (a single big nightmare). So I don't like to support spammers with high quality address lists.
The normal x.509 way is to send a signed mail. The signature includes usually the certificate of the signer. To make this procedure secure, it is common practice to publish the CA certificates to every potential customer. If you receive an email with a new signer and you trust the CA cert then you trust the new signer too and all works fine. So it is a good idea to include a reference to your root or sub CA into your mail.
There is an idea how to publish CA-certificates - Bridge CAs. A bridge CA is not a root CA. It only publishs a (sometimes signed) list of CA-certificates. If you trust one of the CAs then you can (down)load this CA-certificate and set the appropriate trustsettings. So you have a list and you decide which of the CA-certificates you can trust. There are some bridge CAs like Federal Bridge CA in the US and www.bridge-ca.de but they are both local.
Does there be a need to maintain a list of CA certificates with contact informations like for DNS? Every browser comes with a list of commercial CAs so what about a webpage and directory which contain the following data:
- CA cert (e.g. DFN-PCA cert)
- operator (DFN-PCA)
- contact informations:
- certificate download
- emergency contact (e.g. for founded smartcards etc.)
- administrator emailaddress
- offline contacts (like phone and mail)It could also be possible to publish lists which will be signed by different users or CAs to publish trustrelationships (this is what a bridge CA does).
Such a page and/or directory could be useful for endusers to get a needed cert and for administrators who build trustlists. Are there any standards for such a server? Should we (OpenCA) or any other (like TUM) start maintaining such a list or server?
Any further comments?
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
