European Data Retention and Encryption for Dummies
Lucky Green
shamrock at cypherpunks.to
Mon Jun 3 17:25:55 PDT 2002
Tom wrote:
> The problem with both is the need of SSL certificates. So I
> was thinking of setting up a "Joe Doe's CA". A simple webpage
> where you can request a certificate. It would do two check:
>
> a) check if IP you are using is identical to the IP you are
> requesting for, i.e. you'll have to ssh into your webserver
> and use lynx from there.
>
> b) the certificate will be mailed to the admin-c of the
> domain you requested it for (whois lookup).
I have been meaning to set up a similar CA for years now, but never
found the time. While you are at it, you might want to configure your CA
to offer S/MIME certs subject to an email ping. (Which is what exactly
what Thawte (a.k.a. VeriSign) is using to authenticate their free S/MIME
certs). Make sure that your CA will only sign sufficient size keys,
responding with a meaningful error message if a smaller key is
submitted.
There is a commercial SSL cert provider with roots in the browsers that
uses just authentication method b) that you propose.
However, for your CA, I would recommend doing away with b) since that
will limit even "legitimate" (whatever that would mean in this context)
users of your CA. Do a whois on cypherpunks.to to see why b) won't work
for everybody. If you don't care about serving users of some CCTLD's,
you can leave b) in. Your CA, your CSP.
YMMV,
--Lucky
More information about the cypherpunks-legacy
mailing list