[3006] in cryptography@c2.net mail archive
Re: Pseudonymous S/MIME certs?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Mon Jul 20 13:25:47 1998
Date: Mon, 20 Jul 1998 18:18:23 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Enzo Michelangeli <em@who.net>
CC: cryptography@c2.net
Enzo Michelangeli wrote:
> >Common-sense: just coz I trust A, doesn't mean I trust B who A signed
> >for.
>
> Still, it could make sense e.g. in a VPN-like environment where A is a
> system administrator (the "Internal CA admin"), and B a generic member of
> the same organization as A and myself, but located remotely. Such an
> arrangement would allow a company with N users to buy from a CA only one
> cert instead of N.
Either action has to be taken to distinguish this single cert from other
certs, or the organisation becomes vulnerable to anyone capable of
signing a cert. If you are going to have to mark this cert as trusted,
why not just install a new CA root cert instead and do away with the
external CA altogether?
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
