[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Auth]a couple of questions and suggestions
From: |
Norbert Sendetzky |
Subject: |
Re: [Auth]a couple of questions and suggestions |
Date: |
Fri, 13 Jul 2001 20:40:28 +0200 |
On Friday 13 July 2001 15:19, David Sugar wrote:
> In certificate authorities, I recall that root certificates for each
> authority must be distributed before certificates issued by that authority
> can be used. This could present a problem and a means to control and limit
> what indipendent authorities exist. Imagine, for example, if MS stuff like
> IE makes it even harder to load new CA root certificates other than those
> originally issued with their IE base distribution, and wipes out any add on
> ones every time you "upgrade". Also, the CA must then issue the individual
> certificates for everything that is used and deployed, rather than users
> individually, as is the case with gpg.
This may be a real threat!
> On the other hand, it is true the CA system that exists today does work,
> even if it's still clumsy and somewhat hard to setup, openssh certificate
> tools are getting better.
As far as I know (I use OpenSSH all the time), itdoes not use certs for
authentication. They use pairs of private/public keys like gpg does.
> A "CA" package that makes it easy for anyone
> anywhere to configure and operate a CA would be nice in of itself. Should
> it be the basis for DotGNU authentication? I do not know, but would like
> to see more discussion on this.
Is cross signing between CAs possible?
Company A trusts CA B and customer C trusts CA D. If cross signing between CA
B and D is possible, then you have a web of trust like in gpg/pgp and
therefore A trusts C. As far as I understand the CA structure, it is totally
hierachical. CA B and D have to be signed by a CA E, which is a level higher
in the hierachy. Is this right?
Norbert