>What is the purpose of global CAs such as
>Verisign if I can't trust the certificates to identify an end user?
That is indeed the question. At least the part before the "if" :)
At least now you can have a single value (subject,issuer,serial#)
to map "global identity" (sic) into local credentials. If you
think that any random cert signed by any random CA can be trusted
by your local programs.
In many cases globally-scalable identities have to be mapped down
into a smaller ID space -- e.g., a 32bit Unix userid.
There's no magic bullet here.
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
