From owner-freebsd-security Wed May 17 13:17:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id F1F6B37BCC9; Wed, 17 May 2000 13:17:14 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id QAA26098; Wed, 17 May 2000 16:17:13 -0400 (EDT) (envelope-from wollman) Date: Wed, 17 May 2000 16:17:13 -0400 (EDT) From: Garrett Wollman Message-Id: <200005172017.QAA26098@khavrinen.lcs.mit.edu> To: Kris Kennaway Cc: security@FreeBSD.ORG, Robert Watson , Darren Reed , Peter Wemm Subject: Re: HEADS UP: New host key for freefall! In-Reply-To: References: <3922D9A3.9EEC6033@softweyr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > The point of a PKI is that you can have a *single* trusted root > certificate with all others signed by that one in a hierarchy. In order to > root the tree in something which (e.g.) Netscape browsers will > automatically understand, we'd need to have at least one key signed by a > commercial CA (Verisign, Thawte, ..) ...who are generally unwilling to sign CA certificates, and when they are, charge very large sums of money to do so. This is why most organizations which use X.509 for internal authentication purposes run their own CAs and deploy customized Web-browser installations which come with the appropriate CA certs preinstalled. (My employer, which owns tens of thousands of computers and has almost as many employees, does this. People who install the ``latest and greatest'' browser from wherever don't get support.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message