[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Looking for a simple SSL-CA package



On Sat, Aug 23, 2003 at 07:38:25PM +0200, Adam ENDRODI wrote:
> Perhaps I just misinterpret the terminology, but I've had the
> impression that every certificate should be signed, so should the
> root of the tree too.  Since they sit at the top of the hierarchy
> they must be self signed.  Am I missing something?

Nope, you've pretty much got it.  At some point in the tree, you need to
trust a key.  It's not that hard to establish trust for one key, but
it's very hard to establish trust for all keys.  Thus, you establish
trust in the certificate authority and trust keys signed by it.

If you don't want to run your own certificate authority or pay a
commercial one to sign your key, and you don't have a lot of
certificates to deal with, you can have each key simply be self-signed,
which I believe is what's being recommended here.

noah

Attachment: pgpAlHDxSmnuf.pgp
Description: PGP signature


Reply to: