From a newb who has way too much theory and too little practical -- > >The data is no less secure true.. but the authentication is much easier > >for someone to fake since the certificate chain doesn't go through a > >trusted third party (Root CA) the person says "This is me. End of story" > >and you choose whether you believe it or not. > > Hi Shaun, > > I don't understand why is a root CA which everybody can download from the > internet is more secure than if I use my own CA. Well, the way I understand it is, verisign, the company (for example), has not come out and said, "NO! Don't trust our certificates!!!", and neither have a lot of other people. So we can assume their certificates our theirs, even though we can't assume they are who they publically claim to be. The trust on the second question is an induced trust in our heads. Since nobody is standing up to claim that the management of any of these companies are fraudulent in the claims they make as to who they say they are, the induced trust takes more effect. But that sort of trust is outside of PKI. > I want to make it clear I > am not against using Certificates from an official CA. But in some cases you > can save your money as a expenses for the certificate if you use your self > signed certificate. If you want that only authenticated user can have > access, than you can use SSLVerifyClient in Apache. Well, yeah, if your head of engineering stands up in the morning meeting and claims he signed the company's internal root CA certificate himself, that is actually better than if he sent it off to one of the commercial (or open) CAs, because the external chain of trust is more direct. Also, that group in Australia that's doing peer-to-peer certification has an approach that I think is theoretically valid in a different way and in a different context, because it's a chain of face-to-face trust. I haven't got a certificate from them yet, but I want to see how well they implement things. First I have to make sure I really understand what's going on with openssl and the more hierarchical approach. -- Joel Rees <[EMAIL PROTECTED]> digitcom, inc. 株式会社デジコム Kobe, Japan +81-78-672-8800 ** <http://www.ddcom.co.jp> ** ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]