Well..the discussion so far shows that 1. there ARE technical solutions 2. there are NO practical solutions regarding the TRUST which you can put into such a CA (being registrated by any authority isnt enough, as i wont EVER trust an authority which gives certificates to ANYBODY) Obviously there is an open solution for a similar problem, namely PGPs "Web of Trust" (open and free only due to GNUs "Privacy Guard" (GPG)...reminds me of: Did I mention that Germanys Secretary of Trade donated 150.000 Euro for the development of user friendly integrations of GNUs GPG into Email and E-commerce applications?). BUT: The "Web of Trust" wont work in an SSL environment. PGP/GPG works just great in a personalized environment, where you want to sign mails or documents or just encrypt them for business partners or friends. But there must be a connection to the partners in question, be it direct or indirect. All the PGP/GPG keyservers and databases around the world ONLY serve the purpose to let you check the INTEGRITY of keys and get a very sketchy impression of that the name you used as addressee is somehow connected to the key you used to sign...but in NO WAY that this key is connected to a certain real person. On the other hand: SSL/OpenSSLs sole application which makes real sense is in setting up secure connections AUTOMATICALLY, with AUTOMATIC TRUST. This has been the difference between PEM (and afterwards S/MIME and SSL) and PGP from the very beginning. One has trust built in and the other needs you to put trust explicitly into it. Regarding the number of different sites I e.g. daily get in contact with I can clearly say that I wont ever be able to put trust into all the sites certificates myself, that I absolutely need an automatical solution which I do trust. Open and free software is great! Open and free software for CAs is at least as great! But open and free CAs will never be even NEAR greatness! Besides: I really would love to help building such a CA (I do have some experience with Europes ITSEC/Common Criteria evaluations and I already consulted a company which thought about opening a CA according to Germanys Signature Law.) Believe me though, it wont work without certain minimal security measures and that means CONTROL (i.e. revision) and MONEY (well..perhaps not that much money as some think...). Peaceful Regards Michael -- / 3C Dr.Klingler, Dr.Portz GbR / Kaiserstr. 100 / 52134 Herzogenrath / Germany / Tel: ++49 2407 96056 / Fax: ++49 2407 96292 / Email: mailto:[EMAIL PROTECTED] / WWW: http://www.3CKP.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
