Re: [AUG PENG 2004] key signing party -- the corporate way

From: amos_at_nonexisting.hamakor.org.il
Date: Wed 04 Aug 2004 - 16:03:41 IDT

• Next message: Cyril Scetbon: "Re: Enabling NPTL on slackware"
• Previous message: Yosef Leibovich: "Re: Implementing takdin-like search"
• In reply to: Ilya Konstantinov: "Re: [AUG PENG 2004] key signing party -- the corporate way"
• Next in thread: Shlomi Fish: "Re: [AUG PENG 2004] key signing party -- the corporate way"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Ilya Konstantinov wrote:

> They don't seem to be part of the Certificate Authorities lists
>
>provided with common mailers (Outlook Express, Mozilla...). Therefore,
>they're as worthy as a "Certificate Authority" I can create with
>openssl or Win2K Certificate Manager in 5 minutes.
>
>
No they aren't indeed. But at least the browsers I'm aware of (IE,
Firefox) allow users
to add new CA's, and that's what CaCert is counting on.

>The idea behind certificate authorities is this:
>1. Only trusted large bodies, with secure authorization procedures(1)
>are part of the lists provided with common software.
>2. They assure your identity by secure means (seeing your ID etc.).
>3. They assert that you are whoever you claim you are by signing your
>certificate.
>
>
The "Free mail cert" Thawte plan suggested above seems to take similar
identification
steps to the free one, so no disadvantage in that area for CaCert.

The only difference I think I identify is that CaCert allows you to get
also SSL server
certificates and certificates for other proposes. Not to mention that as
far as I've seen
the certificate I got from Thawte today will expire in a year - who
knows what different
conditions would I have to meet next year to get another cert?

It's true that they are not in the default lists of existing browsers
but on the other hand
their certificates can be used in many more ways than just for signing
e-mail, if I got
everything right.

(Come to think of it - it's not unreasonable to expect them in
Firefox/Konqueror's
default CA list some day soon)

And before someone gets a feeling that I attack the original idea - I
didn't. I just though
that while we in the business of signing certs that maybe people would
be interested in
yet ADDITIONAL way to sign certs.

--Amos

=================================================================
To unsubscribe, send mail to linux-il-request_at_linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request_at_linux.org.il

• Next message: Cyril Scetbon: "Re: Enabling NPTL on slackware"
• Previous message: Yosef Leibovich: "Re: Implementing takdin-like search"
• In reply to: Ilya Konstantinov: "Re: [AUG PENG 2004] key signing party -- the corporate way"
• Next in thread: Shlomi Fish: "Re: [AUG PENG 2004] key signing party -- the corporate way"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.7 : Wed 04 Aug 2004 - 16:14:11 IDT