On Wed, 29 Oct 2003 18:55:16 EST, George Capehart <capegeo@opengroup.org> said: > This is why the CA's Certification Practice Statement (CPS) is so > important . . . and why, if one is going to accept a certificate, they > *really* should read the CPS and understand exactly what process the CA > went through to determine the authenticity of the DN. *Then* you > should read the audit reports to see if the CA is really following the > CPS. If that information is not available publicly available, he/she > who accepts those certs deserves what he/she gets. As a practical matter, there's "certs signed by our internal CA" and "certs signed by any other CA". "any other CA"s certs are for the most part useless as anything other than a glorified MIC (Message Integrity Check) - if the data is properly signed by the cert and the cert's signed by the CA, the data hasn't been diddled since signing. The distinction for *my* CA is that I know what their CPS is, I know what their audit is, *and* I have a good guess of how they do things when auditors aren't looking (if you think these departments can't *smell* an auditor coming, you haven't been around long enough). Oh, and there's one other major benefit. When Verisign bobbled that bogus Microsoft cert, there weren't any major repercussions for Verisign. On the other hand, the cert gnomes upstairs from my office know *very* well that if they screw up a cert in a way that affects me, I *will* be up there creating real repercussions for them... :)
Attachment:
pgp00137.pgp
Description: PGP signature