From: "Kipp E.B. Hickman" <kipp@warp.mcom.com>
Date: Tue, 13 Dec 94 11:33:57 PST
To: "Amanda Walker" <amanda@intercon.com>
Subject: Re: Clarification of my remarks about Netscape
In-Reply-To: <9412131431.AA19841@amanda.dial.intercon.com>
Message-ID: <9412131132.ZM18680@warp.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain


On Dec 13,  2:31pm, Amanda Walker wrote:
> Subject: Re: Clarification of my remarks about Netscape
> > All you need to do is get your server certificate from one of
> > several places, including:
> >
> > 	RSA (commercial CA or server CA)
>
> Do you need a server certificate issued directly by one of these PCAs, or
does
> it just need to be rooted there (i.e., can I use my [hypothetical] corporate
> PCA, which itself has a certificate from the RSA commercial PCA)?

Unfortunately, for now, we only support cert's directly issued from the
imbedded CA's. One level deeper is not trustworthy in any case, unless you make
the user define trust. That requires a GUI and we haven't done that yet.

> If it's the former, I would strongly urge you to extend your clients to
> include the latter.  I don't want to have to go to RSA for every server
> certificate--that's in part what the PCA hierarchy exists for.

We agree, and someday this won't be a problem.

> Similarly, if I set up a personal server (with my home page, for example),
can
> I'd like to be able to use a certificate issued by the RSA Unaffiliated User
> CA, which is itself a PCA certified by the Commercial CA.

I didn't bother imbedding the RSA Unaffiliated User CA because I didn't think
server operators would use it to get certificates.


-- 
---------------------------------------------------------------------
Kipp E.B. Hickman          Netscape Communications Corp.
kipp@mcom.com              http://www.mcom.com/people/kipp/index.html