On Thu, 16 Sep 2004, Major Variola (ret) wrote:
At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
Except that certs need to be signed by authorities that are trusted.
Name one.
You don't have to sign the certs. Use self-signed ones, then publish a GPG signature of your certificate in a known place; make bloody sure your GPG key is firmly embedded in the web-of-trust. This can be done with certs signed by an untrusted (read: any other than the one you operate yourself) CA as well. For HTTPS, there can be a negotiated standard location and format of the certificate signature file, stored in eg. /gpgsigned.xml location; the certificate is transported during the SSL handshake, so you can validate it within a single HTTPS request for the file. Similar thing applies for the client certificates and the servers; but then the server has to request the certificate signature from somewhere else (the location may be specified as an URL in the comment field of the client certificate). This should be easy to implement with PHP scripts, if Apache is configured to make the certificate visible as an environmental variable.