Re: [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Date: Wed, 16 Jul 2003 17:02:05 +0200
On onsdag, jul 16, 2003, at 16:51 Europe/Stockholm, Randy Bush wrote:
Or are you suggesting that RIPE should select one of the
commercial root CAs and get all the client certificates from that
shop?
no, the RIRs can sign their customers certs.
maybe a tutorial is needed on how this stuff works. paf, is there
one readily available?
Well, the problem is to know whether the tutorial talk about how the
map is drawn or how things work in reality.
The overall question is how to build the chain of trust in X.509.
We can do
(a) CA -> RIR -> RIR member
(b) CA -> RIR and CA -> RIR member
As I don't work in the X.509 environment (I have been running my head
against the wall too many times when discovering the applications do
not do everything magic the spec is supposed to support) I am the wrong
person to ask.
BUT, I can find someone which can help.
From a trust point of view it is in fact *better* to consciously
import the RIPE root-ca certificate in your browser then to
simply trust what's in your root certificate store.
when the RIRs' procedures to protect their root CA keys are audited
...and the question is whether this audit and operations is cheaper
than to "just buy the thing" from a different CA...
paf
|
you are here: RIPE -> RIPE Maillists > Archives
