Re: Seeking officers for Free-software-friendly CA

Fri, 7 Jan 2000 09:39:44 -0800 

Leland,

> Here is the issue - installing a CA manually provides no more trust than accepting a 
>self-signed CERT.
>
> There is also a big downside to installing a CA manually - if the user accepts a CA 
>by accident or misintention, that user is open [open = accepting a secure connection 
>without any warning] to ALL sites that reference that CA; a user accepting a 
>self-signed CERT is only open to the site presenting the CERT.

Although I can see your point I disagree. Pre-installed certificates, as
userfriendly as they might be, lead to a false sense of security. Based on
the fact that the browsers are shipped with a certain number of CAs one
can not make any assumptions about the trustworthiness of those CAs. In
fact, I think the so-called "browser trust model" is utterly named wrong
because the "trust" is based on the right amount of money only.

As a non-pre-installed CA we ask our users to manually install AND
verify our root and subordinate certificates. Agreed, this is not that
userfriendly but by doing so many users get a feeling of what's going
on.

> The main advantage to a CA is that their root CERTs are pre-installed in standard 
>web browsers. I personally can see no advantage to a public CA that is not 
>pre-installed, .. only in the case where a number of sites are referencing a 
>potential CA (a la Intranet) would it be an advantage.
>
> An openCA is an extremely nice idea, .. but I think it would be better handled if 
>someone, perhaps, could convince the Netscape folks to include it in NN5.

This is just a matter of bucks...

Cheers,

        Stefan.

PS: This isn't really openssl relevant...  :-)

______________________________________________________________________________
Stefan Kelm            PGP key: "finger [EMAIL PROTECTED]" or via key server
DFN-PCA                                                      <[EMAIL PROTECTED]>
Vogt-Koelln-Str. 30                               http://www.pca.dfn.de/~kelm/
22527 Hamburg (Germany)                   Tel: +49 40 428 83-2262 / Fax: -2241
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to