|
> No-one has stepped in to be an alternate RootCA, and I can't imagine
> why. I would expect EFF could do it, anyone could do it. You do need
> a bit of money and have to setup secure machine(s), have some way of
> keeping track of keys and making sure that the webbrowsers have them
> pre-installed.
The last part of this is the difficult part. We run our own RootCA here,
because we were quoted a price from Verisign in excess of $50K per year
for what we wanted to do. Then there is the ominous-looking spam that
VeriSign sends that makes it sound like you will lose your domain name if
you don't register it through them, so I won't do business with them
anyway even if the price *has* come down.
So we had little choice, and we've just had to guide our users through the
scary dialog boxes to get them to accept our CA. Once that's done though,
we can now use SSL with authentication to control viewing of our internal
web pages. Works for us, but your mileage may vary. I do recall hearing a
lot of cursing coming from the security administrator's office while they
were trying to get the RootCA working, too. That can be rather tricky.
--Greg
|
