On Wed, Dec 22, 1999 at 10:40:56AM -0800, Dr. Greg Quinn wrote:
> I think a free CA would be great. I really wish there was an acadmic
> institution initiative. A big limitation as far as I can
> see would be getting certs pre-installed into web browsers.
> The chance of either MS or netscape doing this would be close to none.
> If my experience is anything to go by, asking the average user to import a
> CA can be problematic.
Well, I don't know about other countries, but at least in germany we
do have a initiative like this (sorry, pages seem to be available only
in german):
http://www.cert.dfn.de/dfnpca/
The DFN is the provider of Internet connectivity for german acadamic
institutions.
I am however afraid only few people know about this project :-)
They also seem to care about what they certificate: you can get a
server certificate directly from them, but then you have to meet them
personally. They also certify computer centers of Universities, which
than can issue certificates themselve. My university is a fresh member
in the list, so probably I will get a certificate there in the future.
With regard to the users... There seem to be different types.
- I do provide the address list for my sports group, but I only provide
it with SSL enabled, so that neither the password nor the data itself
can be sniffed or caught at a proxy. (Some members work in large companies
with a tight network setup and netadmins that would like to know more than
they should :-)
I have change my certificate over time while learning how to be my own CA.
* Nobody _ever_ complained about that. Even more, I asked them whether they
got any message on the screen.
- Which message?
- About certificates and so on.
- Well, I don't remember. Maybe I clicked away some boxes.
* The people are not technical stuff, we have lawyers, economists,
secretaries...
- I have seen this more than once; most people don't care at all and it is
nearly impossible to even explain them the difference between 40bit and
128bit. They don't care, even for banking.
Having this said, I don't know the terms of trade with M$ and/or Netscape.
Having the root CA of your company in the browsers is the base for your
business as a CA, so I would think that the CAs do pay to get included.
-> Problem for free CA (not of technical nature)
To achieve at least a bit of sense in using CAs, a minimum standard for
"trust" must be defined to be included in the standard list. If anybody
can be a CA (including my home-grown AET-CA I use myself), the list became
useless. So for a CA you do need an infrastructure for checking real
identities. Defining a policy is not enough, you must also be able to realize
it. So it will cost some money to maintain your infrastructure.
-> Problem for free CA (not of technical nature)
So much for now, I am not enthusiastic that just because we have OpenSSL
and/or OpenCA we will easily get a real CA for nothing.
(I personally can be optimistic, because there is the DFN-PCA described above,
but I don't know which other institutions offer such service.)
Best regards,
Lutz
PS. Yes, I read Schneier's paper about CAs on Counterpane :-)
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
