One solution to the fact that the new CA is not embed in IE nor Netscape is
to:
1) get a certificate from Verisign for component developers (2 actually, one
for IE and one for Netscape),
2) Develop an ActiveX for IE and a Plug-in for Netscape which installs the
new CA certificate as trusted (using for example
Michael Pogrebisky code),
3) Sign the ActiveX and the plug-in using the Verisign certificate,
4) Web administrators could then start addressing certificate signing
request to the new CA,
5) after some verification (following a security policy to be defined) the
CA would send back the signed certificate to the Web administrator (as well
as the ActiveX and the plug-in),
6) The Web administrator could then set up his SSL server not forgeting to
place on his website a special page containing the ActiveX for IE and the
and the plug-in for Netscape,
7) Users accessing the Web site would transparenty download the the ActiveX
if using IE or the plug-in if using Netscape (this will only be needed the
first time the user accesses a site certified by the new CA),
8) the user is presented the certificate issued by Verisign to the new CA
which he can choose to accept (if he trust the new CA) or reject it (if he
dosen't trust the new CA nor Verisign and if he understand what this
certificate is all about),
9) if the user accepts the certificate, the new CA is installed in the
browser (in a secure way because the CA plubic key could not have been
falsified by the Web administrator nor altered during the HTTP download),
10) SSL sessions can now be established to access the Web site through
HTTPS.
Note: this proposal deals with the SSL server certificates and could also be
extended for component developers.
For SSL client certificate, I don't see any benefit in using Verisign
certificate instead of a self generated sertificate any way.
And for e-mail certificate, a web-of-trust à-la PGP is better than a
Verisign user ID from my point of view (an e-mail address can be easily
spoofed I belive).
Nicolas Roumiantzeff.
-----Message d'origine-----
De : Theodore Hope <[EMAIL PROTECTED]>
À : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Cc : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date : dimanche 26 décembre 1999 20:37
Objet : Re: Seeking officers for Free-software-friendly CA
>Stefan,
>
>> At first, Netscape was very fast in telling us that the price for
including
>> up to five "trusted roots" would be $250,000. Although we still showed
>> interest they suddenly stopped communicating with us. Still, this was a
>> better response than the silence we received from Microsoft. It took us
>> almost half a year of nagging to get an email back which was completely
>> useless! :-(
>
>Indeed, this is the problem!
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
