I dont know the exact structure of the x509 syntax, but I think it can be useful to implement a Web-URL/LDAP Pointer into every cert which describes where to fetch information about the issuing CA in a standarized manner - so the receiving client (Outlook, Netscape Mail) will not only ring the alarm bells but refers to a certain kind of information about the CA - this will help even novice users to understand what is happening there.
Such links already exist. You can use authorityInfoAccess or certificatePolicies (CPS.* in policy section) - see openssl.txt.
I will have a look - would be great if OpenCA brings it by default :)
On the other Hand it would be a great effort to get a kind of "public domain" base certificate delivered with the browsers - the cert should be controlled by a community and certify other CAs for less than that amount of money the commercial sellers want forI a CA-Cert....
But this is just a political thing....
No, no, no! This construction results in a single trusted root-CA which gives no warranties. The result is an infrastructure which is completely insecure. Example:
The certificates of the banks would have the same security level like any other certificate!
Thats a problem which was discussed some month ago in Heise's iX - the management of Root-CAs in the Browsers do not allow a kind of rating to the CAs. Heise testet some of the CAs and it was very easy to get a certificate with complete wrong information which is accepted by browsers without a warning. Of course you can add/delete certificates in the Cert-Manager of the Browser but who of the 99% PC-dummys out there does this ? I think that I will trust a well managed community CA more than some CA on the antigues which sell "browserproof certs" for some dollars. I have some of these certs running to just get rid of the alarms and I know how hard it was to get a cert....
A bridge-CA or an unauthorized list of CA-certificates with some offline infos give the administrators the chance to setup a list of trusted roots. This is the idea of the bridge CA. There is a list and the different organizations can freely define whom they trust. This is the idea which I prefer.
I agree that this is the most secure way but it is not convienient - and this is the point why no one is using digital signatures - but perhaps the ssl-extensions mentioned above will solve my problem - I will check...
The question is, should OpenCA or any other Open Source group start to collect a list of CA certificates and the appropriate offline contact informations like for DNS? This list can grow very fast and it must be easily exportable.
I think this is a very good idea....
regards oliver
------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps1 _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
