Re: Seeking officers for Free-software-friendly CA

Fri, 7 Jan 2000 03:40:57 -0800 

Yes I think both solution are equivalent from a crypto point of view and are
both definitively better than unstaling manualy a CA cert through an
unsecured download.

There might be to practical difference though:

1) I am not sure that the browser (IE and NN) UI will let the user make the
difference between installing a CA cert through a secured SSL connection and
through an unsecured connection.

2) And most important, with the ActiveX and Plug-in/SmatUpdate scheme, you
can automatically detect if the CA cert has already been installed or not.

Nicolas Roumiantzeff.

Note: re-reading Pete Chown previous message, I think Pete and Steve are
describing exactly the same scheme.

-----Message d'origine-----
De : Dr Stephen Henson <[EMAIL PROTECTED]>
À : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date : vendredi 7 janvier 2000 10:59
Objet : Re: Seeking officers for Free-software-friendly CA


>Nicolas Roumiantzeff wrote:
>>
>>
>> In the solution I suggested, the CA cert is not installed manually (as
when
>> you connetc to an SSL server wich is not "chained" to a trusted CA of the
>> browser) but installed automatically (by an ActiveX or a Netscape Plug-in
>> using SmartUpdate). Did you get the point that the ActiveX and the
plug-in
>> would be signed?
>>
>
>What about serving up the CA certificate via an SSL server whose
>certificate is from a "standard" CA? Then you get the assurance that SSL
>session hasn't been tampered with and a "trusted" CA has certified the
>server itself.
>
>Steve.
>--
>Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
>Personal Email: [EMAIL PROTECTED]
>Senior crypto engineer, Celo Communications: http://www.celocom.com/
>Core developer of the   OpenSSL project: http://www.openssl.org/
>Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [EMAIL PROTECTED]
>Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to