I'd just like to point out that an Open Community CA is different than
an
Open Source CA. The latter is obviously addressed by the OpenCA.org ini-
tiative which, BTW, I don't know if it's getting any momentum at all.
The first one implies that you have a CA where everyone can register and
fetch a certificate for free or nearly (at least this distinction makes
sense to me). Now it's clear that if this CA will enforce some
requirements
stronger than email verification they'll have costs. And if they want to
have a secure, reduntant site and private key protection the costs will
grow considerably.
So, I don't believe that without some funding this will never happen.
Finally, in Europe, the Comission has approved a directive which states
the conditions that qualified CAs must meet so that they can issue qua-
lified certificates. These certificates will be used in digital
signatures
that have the same legal value than hand-written signatures. Other
initia-
tives will happen so that only "certified" CAs may operate in these cir-
cunstances and I think this addresses some questions raised in these
mails.
I hope this makes sense to you because I believe that at least in Europe
this
will be the way taken. In the US I don't know but I think that if they
haven't
done anything similar already they'll follow up.
Regards,
John Hartnup wrote:
>
> On Wed, May 24, 2000 at 12:02:55PM +1200, Jason Haar wrote:
> > I feel everyone is missing the point.
> >
> > What do I do as a company when I want to "acquire" 1,000's of user certs so
> > that my users can (e.g.) use IPSec VPN solutions over the Internet to
> > access corporate services?
> >
> > I don't _need_ a major CA to be guaranteeing the validity - I need to be the
> > CA!
> >
> > Other commercial outfits are producing CAs (Microsoft come to mind - anyone
> > running Active Directory!?!?!?), so why cannot there be an Opensource one?!?!?
> >
> > [yes, there are, I know - I'm just trying to impress that this issue isn't as
> > black-and-white as is being said]
> >
>
> I think there is confusion about what you believe should exist:
>
> Your original posting looked to me as it if was suggesting there should be
> a free or low cost CA *service* based on open source software. People have
> argued that to sign a certificate with any due diligence takes effort and
> therefore has to be funded somehow.
>
> Now it seems like you are talking about merely developing free (libre) CA
> software, which anyone may take and use. Well, OpenCA is already making
> progress (it needs work: why not help them?). OpenSSL itself contains a
> mini CA application already.
>
> In your example:
>
> > What do I do as a company when I want to "acquire" 1,000's of user certs so
> > that my users can (e.g.) use IPSec VPN solutions over the Internet to
> > access corporate services?
>
> ... you're right: your company may set up its own internal CA. It may define
> its own procedures to verify that certificate requests are valid before
> signing them. Then, all your users will have to do is to import your new
> root CA certificate, such that their clients trust certificates issued by your
> CA.
>
> Getting people outside your organisation to trust your CA would be a different
> matter.
>
> --
> -------------------------------------------------------------------------------
> Ooh, it's 'orrible being in love when you're eight and a half.
> I've got your picture on my wall and your name upon my scarf.
> -------------------------------------------------------------------------------
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
=======================================================
Bruno Salgueiro (mailto:[EMAIL PROTECTED])
SIBS - Sociedade Interbancária de Serviços
Rua Soeiro Pereira Gomes, Lote 1, 1600 Lisboa, Portugal
Tel: + 351 21 791 88 33
Fax: + 351 21 794 24 40
http://www.sibs.pt
Esta mensagem foi assinada com certificado MULTIcert.
Para obter o certificado da Autoridade de Certificação
PILOTO MULTIcert dirija-se ao site
http://www.sibs.multicert.com
"Computers are useless. They can only give you answers."
--Pablo Picasso
=======================================================
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
