Re: Discontinuance of Thawte personal email certificates and Web of Trust

[Ken Layng <kml18 () PSU EDU>]

Of course no one ever guaranteed that PKI was simple, either. At least
for AD-integrated environments, it may come down to creating a browser
package with the Root CA pre-installed, then deployed via Group Policy.
For non-AD environments make a Firefox install package available for
download. I do see a significant upside benefit if this course could be
taken.

Ken Layng

jeff murphy wrote:
> On Sep 30, 2009, at 11:09 AM, Valdis Kletnieks wrote:
>
> > On Wed, 30 Sep 2009 10:47:34 EDT, jeff murphy said:
> >
> > > Ignoring personal accounts, it would be interesting to see EDUCAUSE
> > > (identity & access mgmt) investigate whether this can be provided to
> > > EDUs. Similar to the way .edu is managed by EDUCAUSE, perhaps it's
> > > possible to obtain an EDUCAUSE chained root cert by one of the
> > > existing roots (IPS?) and then allow EDUs to issue email/TLS certs for
> > > themselves using an EDUCAUSE hosted interface. The ability to do this
> > > for TLS (SSL) certs alone would be a significant win, from a financial
> > > and security perspective, for the EDU community.
> >
> > Or just leverage the CACert project?
> >
> > http://www.cacert.org/
>
> I'm pretty sure CAcert doesn't have it's root in any of the browsers,
> which is why I didn't bring it up. That's usually the stumbling block
> for doing this -- the lack of distribution of your root (or in the
> case of a chained root, the root of whomever chained it for you) with
> the common operating systems. For this to be successful, it's needs to
> be as close to trivial as possible, and that means, imo, not requiring
> that users/ITsupport/etc load a root cert into their OS.
>
> jeff
--

Ken Layng
The Pennsylvania State University
ITS Training Services
Twitter:
   klayng (personal)
   psuitpro (IT-Pro)
23 Willard
814-863-8800