> -----Original Message-----
> From: Jason Haar [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 23, 2000 7:03 PM
> I feel everyone is missing the point.
No, we're discussing a different point. You're talking about signing
certificates for your own private use; we're talking about signing them for
public use, which means the clients are not under our control, and we can't
force them to have our root certificates.
> What do I do as a company when I want to "acquire" 1,000's of user certs
so
> that my users can (e.g.) use IPSec VPN solutions over the Internet to
> access corporate services?
You set up your own private CA.
> I don't _need_ a major CA to be guaranteeing the validity - I
> need to be the CA!
Right. That has nothing to do with signing for public use, however.
> Other commercial outfits are producing CAs (Microsoft come to mind -
anyone
> running Active Directory!?!?!?), so why cannot there be an Opensource
one?!?!?
Microsoft owns the client in this case.
> [yes, there are, I know - I'm just trying to impress that this issue isn't
as
> black-and-white as is being said]
That's because it's two different issues. If you want to sign a certificate
for a client you don't control, you're going to need a signature from a CA
the client already recognizes, or you're going to have to convince the user
to add your CA to the client (assuming that's even an option). Convincing
the user probably won't be difficult - anyone who ran the ILY trojan is a
likely candidate - but on-line businesses typically aren't interested in
taking that chance. If you are, fine.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
