Randy, Randy Bush wrote:
What I now heard was that the ssl connections will be strengthened by adding client side certificates which can be used for authentication. This might of course rise questions about the use of third-party-CA for the certificates, but this is (as clarified in this mail below) resolved by having the RIR being an CA by itself.
so i am supposed to install the RIRs' certs in my browser as root CAs and ignore the big hole for attack this opens? i already *remove* a bunch of root CAs when i bring up a new browser. this is the new internet. get paranoid.
let the RIRs spend a few of the bucks they have getting their certs signed by a well-trusted root CA.
Certificates from the RIPE NCC's CA are not intended for 3rd party authentication. They are only intended to allow the LIRs to authenticate themselves to the RIPE NCC. Some mail clients require that the RIPE NCC CA be installed as a root CA before they will let the user send mail signed by a certificate issued by the RIPE NCC CA. Therefore we provide an easy means for users to do this. If you wish to use a mail client without this restriction, there is no reason to trust the RIPE NCC's CA for anything other than issuing your certificate. It's not certificates for the RIPE NCC that are the issue here, it's certificates for the LIRs, to be trusted by the RIPE NCC. If the RIPE NCC were to trust certificates issued by another CA, then we would be relying on their registration authority (RA). Not only would the RIPE NCC have to trust a 3rd party to identify RIPE NCC members, but users would need to provide a separate set of documentation and probably also pay a fee to obtain their certificates. -- Shane Kerr RIPE NCC