TLS does not require an external Certificate Authority

Sorry, I missed where we got the assertion that TLS requires a CA.

As I understand it TLS requires a ROOT CERTIFICATE and CERTIFICATES.
[Assuming the identity-based case, not the anonymous case.]
Implementations can do whatever they wish to come up with the root
certificate.  I might deal with that by configuring my implementation to
use Thawte's root certificate and use them as a CA.  Someone else might set
up a CA for use inside a corporation or other organization.  Someome might
even set things up to self-sign or deliver a signature engine fairly
widely.  One can look at PGP as an example of this.

I don't see that there is any technical REQUIREMENT in TLS that I pay
anyone to act as my certificate authority.  I myself use it that way
sometimes but that's an implementation and deployment detail, not a
requirement of the protocol.

>Resent-Date: Fri, 7 Feb 1997 04:10:51 -0500
>Resent-Message-Id: <>
>Date: Fri, 7 Feb 1997 11:08:47 +0200 (SAT)
>From: Mark Shuttleworth <>
>To: Dennis Glatting <>
>Subject: Re: secure tcp ports
>X-Mailing-List: <> archive/latest/593
>> TLS requires a CA, unless one of the proposed shared key
>> mechanisms are adopted. There is not a global CA
>> infrastructure, more or less a US infrastructure. Worse, in
>> the US there is the real possibility of escrow. Associated with
>Begging your pardon,  but Thawte's strategy is entirely global.  Also,
>because we are based outside the US,  the only way we would consider
>escrow is if the US government explicitly banned the use of non-escrow
>keys within the US - an unlikely proposition.
>> most CAs is a financial transaction.  Though traditional use of
>> security (in particular, cryptography) has often been
>> labeled as "not for free", requiring investment in a CA or
>> purchase of a CERT gives the term new meaning.
>As soon as it's possible to conduct quality checks free,  there will be
>quality free certs.  Certification should not be an expensive thing at
>all.  We don't think so.
>Also,  I think we'll see "micro-certification" become important.  By this
>I mean the certification of small, easy to prove but also valuable
>relationships,  like "this key is managed by the person at the end of this
>email address".  Xcert, Thawte, Verisign, etc. all have projects that
>explicitly or implicitly suggest this trend.
>Mark Shuttleworth
>Thawte Consulting

               Rodney Thayer <>       +1 617 332 7292
               Sable Technology Corp, 246 Walnut St., Newton MA 02160 USA
               Fax: +1 617 332 7970 
                           "Developers of communications software"

Received on Friday, 7 February 1997 09:55:14 UTC