On Wednesday, Jul 16, 2003, at 16:51 Europe/Amsterdam, Randy Bush wrote:
ok something but what's the big hole
someone getting at the root CA key at an RIR
There would still be the very similar issue of someone getting at the certificate that the RIR bought from the third party CA. In reality, you do not need to have the RIRs sign any of the customer certificates, they simply need to verify that the certificate presented by the member does indeed belong to the member and incorporate it into the RIR system. If the RIR was a root CA then it could issue certificates to its members for a fee agreed by the membership (potentially zero). In any case, I believe external certificates should allowed to be used in the system so that people who do not trust the RIR CA can get their certificate somewhere else. A user can also choose to control the scope of validity of an RIR issued certificate by defining the scope in the browser if it allows it or having a second installation of the browser used only for the purpose of communication with the RIR,. Joao