[3039] in cryptography@c2.net mail archive
Re: Pseudonymous S/MIME certs?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Wed Jul 22 13:33:37 1998
Date: Wed, 22 Jul 1998 17:41:29 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: "P. J. Ponder" <ponder@freenet.tlh.fl.us>
CC: "Brown, R Ken" <brownrk1@texaco.com>, cryptography@c2.net
P. J. Ponder wrote:
>
> The administrative disadvantage of having to go back to Verisign or
> whomever to handle the management of certs is a compelling reason for
> organizations to have their own root level certificates, and as Ken points
> out many companies are much larger and better known than any CA, anyway.
>
> The real point, though, is the one that Carl Ellison (and others) keeps
> stating, which is: The entity actually granting the right or privilege or
> attesting to the identity of an individual, key, meme, or long lasting
> persona, is the only logical source for the granting of the right or the
> attestation. No third party is needed, and additional liabilities are
> raised when additional actors are added to an otherwise sufficient
> procedure. There is no business case for a free standing CA.
>
> Carl et al can correct me if I've mistated the argument or its logical
> conclusion.
There's a slightly deeper point, which I'll state again since Perry
bounced my previous attempt for excessive length :-)
The point is that there may be a case for two-level CAs - that is a CA
which is marked as "trust anything signed by anything signed by me", but
anyone who assigned that role to a public CA would be mad (for the
obvious reason that any fool could then get a cert from that CA and use
it to sign other certs).
Slightly less obvious is the point that this should _not_ be a property
of the CA cert, but a property of its installation in the client/server
software. That is, the user chooses to trust a CA to depth 2 (or depth
n).
And finally, I should note that Apache-SSL has provided this facility
(for client certs only, of course) for some years.
Oh, and just in case it isn't obvious why you would want to do this,
consider a multinational. It would create a root CA cert which would
create sub-CAs for each country (say). Clients belonging to said
megacorp would install the root CA cert with depth 2 trust.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
