On onsdag, jul 16, 2003, at 16:51 Europe/Stockholm, Randy Bush wrote:
Or are you suggesting that RIPE should select one of the commercial root CAs and get all the client certificates from that shop?
no, the RIRs can sign their customers certs.
maybe a tutorial is needed on how this stuff works. paf, is there one readily available?
Well, the problem is to know whether the tutorial talk about how the map is drawn or how things work in reality. The overall question is how to build the chain of trust in X.509. We can do (a) CA -> RIR -> RIR member (b) CA -> RIR and CA -> RIR member As I don't work in the X.509 environment (I have been running my head against the wall too many times when discovering the applications do not do everything magic the spec is supposed to support) I am the wrong person to ask. BUT, I can find someone which can help.
From a trust point of view it is in fact *better* to consciously import the RIPE root-ca certificate in your browser then to simply trust what's in your root certificate store.
when the RIRs' procedures to protect their root CA keys are audited
...and the question is whether this audit and operations is cheaper than to "just buy the thing" from a different CA... paf