[WEB SECURITY] Improving Authentication on the Internet

Gervase Markham gerv at gerv.net
Thu May 12 16:40:04 EDT 2005


Paul Schmehl wrote:
> I'm not disagreeing with your analysis, but wouldn't your method 
> invalidate the need for the local root cert?  If you're going to trust 
> Verisign to affirm the authenticity of the local root cert, then you're 
> back to the same place you were before you created your own - trusting 
> the existing root certs.
> 
> Aren't you?

Yes - although you can leverage a single cert for a single machine, 
bought from Verisign, into trust for any machine you care to sign a cert 
for (signed by your new CA). Which is certainly cheaper than buying all 
the certs from Verisign.

Gerv

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list