> >What I was hoping to determine from this thread was whether or not by > >using a verified cert one could determine in a trusted manner who the > >user is. > > You really think X509 certs should be a global ID > mechanism? You think it's a step backwards that > they're not? I wouldn't describe it as a step backwards. But I wouldn't consider it a step forward either. What is the purpose of global CAs such as Verisign if I can't trust the certificates to identify an end user? If I must require that all users register their certs in my own local database than I might as well be my own CA. So much for interoperability. Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2 The Kermit Project * Columbia University 612 West 115th St #716 * New York, NY * 10025 http://www.kermit-project.org/k95.html * [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]