Is it practical for a particular group, for example a corporation or a conspiracy, to whip up its own damned root certificate, without buggering around with verisign? (Of course fixing Microsoft's design errors is never useful, since they will rebreak their products in new ways that are more ingenious and harder to fix.) Yup. In fact, some IPSec firewalls rely on the corporate having a local CA root to issue keys for VPN access. from there it is only a small step to using the same (or parallel issued) keys for email security. The problem there really is that the keys will be flagged as faulty by anyone outside the group (and therefore without the root key already imported), and that will usually only work in a semi-rigid hierachical structure. There *is* an attempt to set up something resembling a Web of

at Monday, September 30, 2002 7:52 PM, James A. Donald <jamesd@echeque.com> was seen to say: trust using x509 certificiates, currently in the early stages at nntp://news.securecomp.org/WebOfTrust

I intended to sign this using Network Associates command line pgp, only to discover that pgp -sa file produced unintellible gibberish, that could only be made sense of by pgp, so that no one would be able to read it without first checking my signature. you made a minor config error - you need to make sure clearsign is enabled.

I suggest that network associates should have hired me as UI design manager, or failing, that, hired the dog from down the street as UI design manager. It's command line. Most cyphergeeks like command line tools powerful and cryptic :)