> >What is the purpose of global CAs such as > >Verisign if I can't trust the certificates to identify an end user? > > That is indeed the question. At least the part before the "if" :) > > At least now you can have a single value (subject,issuer,serial#) > to map "global identity" (sic) into local credentials. If you > think that any random cert signed by any random CA can be trusted > by your local programs. > > In many cases globally-scalable identities have to be mapped down > into a smaller ID space -- e.g., a 32bit Unix userid. > > There's no magic bullet here. > /r$ I'm not looking for a magic bullet. What I am looking for is a method to package and distribute clients and servers that will work out of the box. And the answer is, that if you want to do client auth with PKI then you can't. You need to modify the code to support whatever local system is in use for certificate to ID mapping. What this says to me is that Client Auth should not be a part of SSL/TLS and that the client auth protocol should be built on a higher layer. Whether that client authentication layer be PKI based or something like Kerberos, Secure Remote Password, SecureID, OTP, or something else. Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2 The Kermit Project * Columbia University 612 West 115th St #716 * New York, NY * 10025 http://www.kermit-project.org/k95.html * [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]