At 05:18 PM 1/12/2005 -0700, L Nehring writeth: >Have look at this http://www.schneier.com/paper-pki-ft.txt >and some other papers on the that site. I run my own CA because I >neither trust nor can I afford Verisign. There's no technical difference >in the certs. > >best regards, >Lance >http://www.newparticles.com/
The only major issue with your own CA is that users will get a dialog box that might scare them off (your root is not in their trusted root). They are used to automatically getting dropped into a secure connection and a sudden change from the norm might make them panic (most Windows users have never seen the IE SSL security dialog before). There are lots of cheaper CAs than Verisign that are trusted by user's browsers. A lot of businesses in this corner of the world are just itching for cacert.org to come up with inclusion of their CA into user browsers (particularly IE) to finally drop Verisign/Thawte. I had a similar system set up a couple years ago and a number of people used it - theirs is only slightly more elaborate. The major problem with custom CAs is inclusion in browsers. I doubt cacert.org can sustain itself on "free" for very long - especially after inclusion. What they should be instead is something like CDDB - a secure database of root certificates. A browser only needs one certified CA then to get the database of root certs. This allows CAs to issue certs for free or a price or whatever and get included in all browsers every week after _they_ are certified. The browser merely checks the main server once a week for updates to the root database and adds the changes across a secured SSL connection. This method allows the super-paranoid-government-spies-are-everywhere people to issue a replacement CA certificate every week (obviously re-signing all signed certificate requests) versus the current once every ten years. Thomas J. Hruska [EMAIL PROTECTED] Shining Light Productions Home of the Nuclear Vision scripting language and ProtoNova web server. http://www.slproweb.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
