Peter Gutmann wrote:
A depressing number of CAs generate the private key themselves and mail out to the client. This is another type of PoP, the CA knows the client has the private key because they've generated it for them.
It's also cost-effective. The CA model as presented is too expensive. If a group makes the decision to utilise the infrastructure for signing or encryption, then it can significantly reduce costs by rolling out from the centre.
I see this choice as smart. They either don't do it at all, or they do it cheaply. This way they have a benefit.
(Then, there is still the option for upgrading to self- created keys later on, if the project proves successful, and the need can be shown.)
As a landmark, I received my first ever correctly signed x.509 message the other day. I've yet to find the button on my mailer to generate a cert, so I could not send a signed reply. Another landmark for the future, of course.
iang
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]