Re: [Auth]a couple of questions and suggestions

[Norbert Sendetzky]

On Friday 13 July 2001 15:19, David Sugar wrote:
> In certificate authorities, I recall that root certificates for each
> authority must be distributed before certificates issued by that authority
> can be used. This could present a problem and a means to control and limit
> what indipendent authorities exist.  Imagine, for example, if MS stuff like
> IE makes it even harder to load new CA root certificates other than those
> originally issued with their IE base distribution, and wipes out any add on
> ones every time you "upgrade".  Also, the CA must then issue the individual
> certificates for everything that is used and deployed, rather than users
> individually, as is the case with gpg.

This may be a real threat!

> On the other hand, it is true the CA system that exists today does work,
> even if it's still clumsy and somewhat hard to setup, openssh certificate
> tools are getting better.

As far as I know (I use OpenSSH all the time), itdoes not use certs for 
authentication. They use pairs of private/public keys like gpg does.

> A "CA" package that makes it easy for anyone
> anywhere to configure and operate a CA would be nice in of itself.  Should
> it be the basis for DotGNU authentication?  I do not know, but would like
> to see more discussion on this.

Is cross signing between CAs possible?
Company A trusts CA B and customer C trusts CA D. If cross signing between CA 
B and D is possible, then you have a web of trust like in gpg/pgp and 
therefore A trusts C. As far as I understand the CA structure, it is totally 
hierachical. CA B and D have to be signed by a CA E, which is a level higher 
in the hierachy. Is this right?


Norbert