Erwann ABALEA <[email protected]> writes: >How did you come to write that the software used by VeriSign and most CAs is >based on OpenSSL and a few graphical front-ends such as TinyCA, without any >expensive hardware?
That's probably quite accurate, most people who want to issue certs download and build OpenSSL and start cranking them out. I think you've interpreted the text to mean "most commercial CAs" whereas in fact it's saying "most crank-out-certificates operations". >The fact that DigiNotar, and now KPN have proven do be bad actors doesn't >mean that all of the others are as bad. DigiNotar's software was exquisitely homebrew, nothing else had quite that range and variety of bugs. (Many European commercial CAs also homebrew their stuff... from looking at some of the publicly visible bugs there, it's actually a liability, not a feature). Peter.
