At 09:00 AM 6/22/2004, Jennifer Teig von Hoffman wrote: >One question I have about all this: I'd been assuming that if your clients >and server are all behind a firewall, that you'd need a CA of your own >since the clients and servers couldn't communicate with a CA. But I'm >starting to wonder if I'm mistaken. Is it enough to simply have the >trusted CA certs, and the identity (or anonymous) certs?
Yup. This is one of the design points of the overall public key infrastructure: one does not need access to a central database to verify the veracity of identity certificates. It's also one of the liabilities, as it makes certificate revocation more difficult. --bob
