on being a bundled Root CA-
I suspect that a root CA will some local laws and policies
to adhere to and declare that they adhere to law/policy numbers number
such and such...
Then I suspect the web browsers writers will want a nominal setup fee
$1K + ? to review an application and a couple of boxes of
hard copy documentation and here is the kicker, INSURANCE.
And for something like this only high risk will insure, Loyds of London?
And what will the rootCA need insurance for? Damages due
to improper handling of CAs?
Back in 1996 The American Bar Association wrote a paper
that has guidlines for pki
http://www.abanet.org/scitech/ec/isc/dsgfree.html
It has paragrpaphs like
" By issuing a certificate, a certification authority represents to any
person who reasonably relies on a certificate or a digital signature
verifiable by the public key listed in the certificate, that the
certification authority, in accordance with any applicable certification
practice statement of which the relying person has notice, has confirmed
that "
Which indicates that a root CA would have to have a certification practice
statement. This I would expect anyways and the rest of the wordage
is so general with thoughts like the certificates need appropriate
archiving but not saying what is appropriate.
I suspect the E-sign laws will be similar, vague, which is good
actually, I'd hate to see a law that says a Guild/monopoly like MS or
Verisign has to give approval.
And the local government will have a say on the rootCA, maybe
rootCA registry in HavenCO is not a bad idea afterall.....
The recent laws passed in year 2000 for US about ecommerce are weaker
than when introduced but will have some impact....
For those doing business in the USA we may even see the SEC
regulating how CAs store the records, X.509 certs, and elect. signatures:
http://www.mbc.com/ecommerce/legis/congress.html#hb1714
SUMMARY: This Bill, introduced by House Commerce Committee Chairman Thomas
Bliley (R-Va.), directs the Department of Commerce to promote the use and
acceptance of electronic signatures on an international basis by following
certain principles outlined in the bill. The principles include: (a) free
markets and self-regulation rather than government standards or rules for
the use of electronic records and signatures; (b) technology-neutral
policies; (c) allowing parties to a transaction to establish reasonable
requirements regarding the use and types of electronic records and
signatures; (d) legal validity not to be denied to electronic records and
electronic signatures on the ground that they are not in writing; and (e)
no foreign government imposition of standards on private industry.
This Bill is in the process of coordination with S.761 through a Joint
Conference Committee.
The Bill also amends the Securities Exchange Act of 1934 to give the SEC
the authority to prescribe regulations covering the use of electronic
records and signatures as long as the Commission does not promulgate
regulations contrary to the principles listed above.
hmmmm......
> I think that it would be a good to have a section on "bundled root CA"
> for Simos' bookon openpki http://ospkibook.sourceforge.net
> If anyone else out there has some more information on this please
> send it to the list. I suspect like ourselves others have wasted effort
> with Netscape and MSIE trying to determine their process for picking
> root CAs that they bundle.
> Right now the only "easy" way to be root ca I think is to
> pay for being a Chained CA Serverce from Thawte or Verisign (same company)
> but you gotta adhere to a lot of rules and use approved software only
> and I'm not sure openssl compiled by self will be acceptable....
>
> Of course for an enterprise that is afraid of opensource they
> could go the MS solution, I for one do not want this to be the only option
> for us in the future.......
> Microsoft Windows 2000 will ship with an integrated public key
> infrastructure and CertSrv 2.0, which will have a more complete user
> interface, built-in support for CA hierarchies, and additional
> capabilities such as a time-stamping server.
> On Mon, 24 Jul 2000, Simos Xenitellis wrote:
> > For certificates you buy, the "root certificate" is already there
> > in your browser so your client can connect with SSL transparently.
> >
> > I heard that putting your root certificate in a browser costs
> > a lot lot of money. Can someone verify/provide links on this procedure?
> > simos
> > http://ospkibook.sourceforge.net (new version out, 2.4.7)
> >
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
