Anders Rundgren wrote, On 2008-11-23 09:15:
> Nelson B Bolyard wrote.
>>> I want each organization/domain entity that can afford an SSL certificate
>>>  to become a virtual CA and run their own secure messaging center.
> 
>> Why SSL certs?  why not email certs?
> 
> Could it be the fact that the SSL PKI exists?

So does email PKI.  I use it every day.

> Email certs is a nice idea that requires that organizations buy into something
> like VeriSign's OnSite concept or into completely bizarre stuff like the US
> FBCA 

Uh, no.  Nearly all of the CA in Mozilla's root list offer email certs.
You can get one from startcom for free.

>> The IM service I mentioned before allows users to use certs from any CA.
>> Each user's client decide which certs are acceptable, not the service.
> 
> Oops!  *My* target are users that do not know what a certificate is!

That's fine, since it trusts all of Mozilla's trusted roots by default
so the user doesn't need to take any action to trust a reasonable set of
CAs by default.  The point is that the user CAN if he so chooses.

Cert issuance could be done as part of registration for the service.

You just don't want the CA to be controlled by the ISP or you're begging
for MITM.  Numerous large ISPs are now making no secret about their MITM
intentions.  Google for phorm or nebuad.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to