Re: Certificate Authority

Wed, 24 May 2000 01:59:57 -0700 

On Wed, May 24, 2000 at 12:02:55PM +1200, Jason Haar wrote:
> I feel everyone is missing the point.
> 
> What do I do as a company when I want to "acquire" 1,000's of user certs so
> that my users can (e.g.)  use IPSec VPN solutions over the Internet to
> access corporate services?
> 
> I don't _need_ a major CA to be guaranteeing the validity - I need to be the
> CA!
> 
> Other commercial outfits are producing CAs (Microsoft come to mind - anyone
> running Active Directory!?!?!?), so why cannot there be an Opensource one?!?!?
> 
> [yes, there are, I know - I'm just trying to impress that this issue isn't as
> black-and-white as is being said]
> 

I think there is confusion about what you believe should exist:

Your original posting looked to me as it if was suggesting there should be
a free or low cost CA *service* based on open source software. People have
argued that to sign a certificate with any due diligence takes effort and
therefore has to be funded somehow.

Now it seems like you are talking about merely developing free (libre) CA
software, which anyone may take and use. Well, OpenCA is already making
progress (it needs work: why not help them?). OpenSSL itself contains a 
mini CA application already.

In your example:

> What do I do as a company when I want to "acquire" 1,000's of user certs so
> that my users can (e.g.)  use IPSec VPN solutions over the Internet to
> access corporate services?

... you're right: your company may set up its own internal CA. It may define
its own procedures to verify that certificate requests are valid before
signing them. Then, all your users will have to do is to import your new
root CA certificate, such that their clients trust certificates issued by your
CA.

Getting people outside your organisation to trust your CA would be a different
matter.

-- 
-------------------------------------------------------------------------------
        Ooh, it's 'orrible being in love when you're eight and a half.
        I've got your picture on my wall and your name upon my scarf.
-------------------------------------------------------------------------------

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to