You are in a place where theory and practice converge. The security model assumes you don't trust a CA (in the technical sense) if you don't trust the CA (in the normal sense). It is built around the assumption that a client's list of trusted CAs will be intelligentally managed to include only those whose certificate issuing policies are acceptable to the ise the client software will be put. The reality is that the human being using the software may not even have any idea that his software contains a list of trusted CAs. The odds that he knows any given CA's security policy is even lower.
We use certificate authentication quite a bit between our clients and servers at the University of Washington -- and we trust only certificates issued by our own CA and none by anyone else. That's how we deal with the 'loosly trusted' CA problem. Ji ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
