Tom wrote:
The problem with both is the need of SSL certificates. So I was thinking of setting up a "Joe Doe's CA". A simple webpage where you can request a certificate. It would do two check:
a) check if IP you are using is identical to the IP you are requesting for, i.e. you'll have to ssh into your webserver and use lynx from there.
b) the certificate will be mailed to the admin-c of the domain you requested it for (whois lookup).
I have been meaning to set up a similar CA for years now, but never found the time. While you are at it, you might want to configure your CA to offer S/MIME certs subject to an email ping. (Which is what exactly what Thawte (a.k.a. VeriSign) is using to authenticate their free S/MIME certs). Make sure that your CA will only sign sufficient size keys, responding with a meaningful error message if a smaller key is submitted. There is a commercial SSL cert provider with roots in the browsers that uses just authentication method b) that you propose. However, for your CA, I would recommend doing away with b) since that will limit even "legitimate" (whatever that would mean in this context) users of your CA. Do a whois on cypherpunks.to to see why b) won't work for everybody. If you don't care about serving users of some CCTLD's, you can leave b) in. Your CA, your CSP. YMMV, --Lucky