> >What is the purpose of global CAs such as
> >Verisign if I can't trust the certificates to identify an end user?
>
> That is indeed the question. At least the part before the "if" :)
>
> At least now you can have a single value (subject,issuer,serial#)
> to map "global identity" (sic) into local credentials. If you
> think that any random cert signed by any random CA can be trusted
> by your local programs.
>
> In many cases globally-scalable identities have to be mapped down
> into a smaller ID space -- e.g., a 32bit Unix userid.
>
> There's no magic bullet here.
> /r$
I'm not looking for a magic bullet. What I am looking for is a method
to package and distribute clients and servers that will work out of
the box. And the answer is, that if you want to do client auth with
PKI then you can't. You need to modify the code to support whatever
local system is in use for certificate to ID mapping.
What this says to me is that Client Auth should not be a part of
SSL/TLS and that the client auth protocol should be built on a higher
layer. Whether that client authentication layer be PKI based or
something like Kerberos, Secure Remote Password, SecureID, OTP, or
something else.
Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
The Kermit Project * Columbia University
612 West 115th St #716 * New York, NY * 10025
http://www.kermit-project.org/k95.html * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
