[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database

On onsdag, jul 16, 2003, at 16:51 Europe/Stockholm, Randy Bush wrote:

>> Or are you suggesting that RIPE should select one of the
>> commercial root CAs and get all the client certificates from that
>> shop?
>
> no, the RIRs can sign their customers certs.
>
> maybe a tutorial is needed on how this stuff works.  paf, is there
> one readily available?

Well, the problem is to know whether the tutorial talk about how the 
map is drawn or how things work in reality.

The overall question is how to build the chain of trust in X.509.

We can do

(a) CA -> RIR -> RIR member
(b) CA -> RIR and CA -> RIR member

As I don't work in the X.509 environment (I have been running my head 
against the wall too many times when discovering the applications do 
not do everything magic the spec is supposed to support) I am the wrong 
person to ask.

BUT, I can find someone which can help.

>> From a trust point of view it is in fact *better* to consciously
>> import the RIPE root-ca certificate in your browser then to
>> simply trust what's in your root certificate store.
>
> when the RIRs' procedures to protect their root CA keys are audited

...and the question is whether this audit and operations is cheaper 
than to "just buy the thing" from a different CA...

    paf