Am 24. Aug, 2003 schw=E4tzte Austin Godber so: > Lets discuss a good way to go about this. If we can agree on some proper > handling procedures, I will gladly deal with the responsibility. Althoug= h, > there may be some longevity issues ... for instance I may become at some = point > financially unable to host a CRL or something. There's at least one project to make the software necessary for a CA. I believe it was mostly working a year ago. I think the hard part will be deciding who to sign for. I figure we could sign for Free Software projects and groups. Maybe even charge for people like me who want their own personal cert. The other hard part will be getting our CA accepted by the browsers. Here's where we call on locals who work with the projects ;-). > And of course there is the web of trust ... with GPG and whatnot. I will= cook > something up about this ... addressing all of these issues. Anyone else = feel > free to chime in. Ideally the CA would also work with a web of trust. The browsers would have a secondary security level for our CA. This one would say "this signature is from the people who were claiming to be these people, but that's not a guarantee that they're really these people". That'= s actually what Verisign is saying as well, but I'd like to be a little more direct with it. The web of trust could then provide the secondary verification. You know me, you accept my cert. Monika knows me, she accepts my cert. Someone else at ASU knows both of you and trusts both of you, so my cert would be accepted as being from me via double verification. That along with being signed from our CA would then give my cert full security believability. Maybe do the web of trust via GPG signatures and key servers. This is probably way more complicated than I'm seeing it :). ciao, der.hans --=20 # https://www.LuftHans.com/ http://www.AZOTO.org/ # We now return you to your regularly scheduled paranoia...