On Thu, 2010-12-02 at 17:06 +0000, Dave Cridland wrote: > (FWIW, I wondered for some time about clients generating a CSR and > having servers actually be PKIX CAs, but that equally gains nothing, > except adding lots more exciting-looking X.509). > > Of course, if the certificate is signed by a trusted party (ie, a > real CA), then everything changes - the server cannot advertise a > false certificate any longer, so the situation is entirely different.
This is where it would have been useful for the PKIX CA structure to be more like DNS, so you could sign certs for your own users and subdomains etc. -- Kim Alvefur <z...@zash.se>
signature.asc
Description: This is a digitally signed message part
