Educause Security Discussion mailing list archives
Re: Discontinuance of Thawte personal email certificates and Web of Trust
From: Ken Layng <kml18 () PSU EDU>
Date: Wed, 30 Sep 2009 13:35:20 -0400
Of course no one ever guaranteed that PKI was simple, either. At least for AD-integrated environments, it may come down to creating a browser package with the Root CA pre-installed, then deployed via Group Policy. For non-AD environments make a Firefox install package available for download. I do see a significant upside benefit if this course could be taken. Ken Layng jeff murphy wrote:
On Sep 30, 2009, at 11:09 AM, Valdis Kletnieks wrote:On Wed, 30 Sep 2009 10:47:34 EDT, jeff murphy said:Ignoring personal accounts, it would be interesting to see EDUCAUSE (identity & access mgmt) investigate whether this can be provided to EDUs. Similar to the way .edu is managed by EDUCAUSE, perhaps it's possible to obtain an EDUCAUSE chained root cert by one of the existing roots (IPS?) and then allow EDUs to issue email/TLS certs for themselves using an EDUCAUSE hosted interface. The ability to do this for TLS (SSL) certs alone would be a significant win, from a financial and security perspective, for the EDU community.Or just leverage the CACert project? http://www.cacert.org/I'm pretty sure CAcert doesn't have it's root in any of the browsers, which is why I didn't bring it up. That's usually the stumbling block for doing this -- the lack of distribution of your root (or in the case of a chained root, the root of whomever chained it for you) with the common operating systems. For this to be successful, it's needs to be as close to trivial as possible, and that means, imo, not requiring that users/ITsupport/etc load a root cert into their OS. jeff
-- Ken Layng The Pennsylvania State University ITS Training Services Twitter: klayng (personal) psuitpro (IT-Pro) 23 Willard 814-863-8800
Current thread:
- Re: Discontinuance of Thawte personal email certificates and Web of Trust David Bowie (Sep 30)
- <Possible follow-ups>
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Stanclift, Michael (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust jeff murphy (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust James R. Pardonek (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Ken Connelly (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Valdis Kletnieks (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Stanclift, Michael (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust jeff murphy (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Plesco, Todd (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Ken Layng (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Mike Wiseman (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Valdis Kletnieks (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Scott Dier (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Charles Hedrick (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Jeremy Mooney (Sep 30)