ok I agree that a central cert server will be a paradise for spam-crawlers - on the other hand - I will publish there a "accept only signed mail" address - so my spam-filter will block everything unsigned to this adress...
Yes, but this is a very special construction and not really usable for the rest of the world.
I dont know the exact structure of the x509 syntax, but I think it can be useful to implement a Web-URL/LDAP Pointer into every cert which describes where to fetch information about the issuing CA in a standarized manner - so the receiving client (Outlook, Netscape Mail) will not only ring the alarm bells but refers to a certain kind of information about the CA - this will help even novice users to understand what is happening there.
Such links already exist. You can use authorityInfoAccess or certificatePolicies (CPS.* in policy section) - see openssl.txt.
On the other Hand it would be a great effort to get a kind of "public domain" base certificate delivered with the browsers - the cert should be controlled by a community and certify other CAs for less than that amount of money the commercial sellers want for a CA-Cert....
But this is just a political thing....
No, no, no! This construction results in a single trusted root-CA which gives no warranties. The result is an infrastructure which is completely insecure. Example:
The certificates of the banks would have the same security level like any other certificate!
A bridge-CA or an unauthorized list of CA-certificates with some offline infos give the administrators the chance to setup a list of trusted roots. This is the idea of the bridge CA. There is a list and the different organizations can freely define whom they trust. This is the idea which I prefer.
The question is, should OpenCA or any other Open Source group start to collect a list of CA certificates and the appropriate offline contact informations like for DNS? This list can grow very fast and it must be easily exportable.
Any comments?
Greetings Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps1 _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
