Eddy Nigg (StartCom Ltd.) wrote: > Therefore I think it's wrong to categorically deny OpenSSL as a useless > piece of code not worthy to be used by CAs - just because some code-hero > (or script-kiddy) had it wrong. That's certainly no the case!
You're right, my comment was a bit snarky in a way I didn't really intend, and I apologize for that. I agree that OpenSSL is a good product (and one that the Mozilla Foundation has helped fund some development for, BTW), and in any case the present problem is really an OpenSSL on Debian problem, not an OpenSSL problem per se. However it's still unclear to me how many public commercial CAs have incorporated OpenSSL+Debian, or even just OpenSSL, as a core part of their infrastructure. You're willing and able at Startcom to "hand build" large parts of your CA system, but I'm not sure if that's common among public commercial CAs, or whether Startcom is unusual in this regard. I'd rather guess that most public commercial CAs are deploying off-the-shelf commercial CA software bought from a third party. Frank P.S. Since we're talking about hackable CA software, I'll also mention the Dogtag project out of Red Hat, the open source version of the commercial Red Hat Certificate System. -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto