W3C home > Mailing lists > Public > ietf-tls@w3.org > January to March 1997

TLS does not require an external Certificate Authority

From: Rodney Thayer <rodney@sabletech.com>
Date: Fri, 07 Feb 1997 09:53:01 -0500
Message-Id: <>
To: ietf-tls@w3.org
Sorry, I missed where we got the assertion that TLS requires a CA.

As I understand it TLS requires a ROOT CERTIFICATE and CERTIFICATES.
[Assuming the identity-based case, not the anonymous case.]
Implementations can do whatever they wish to come up with the root
certificate.  I might deal with that by configuring my implementation to
use Thawte's root certificate and use them as a CA.  Someone else might set
up a CA for use inside a corporation or other organization.  Someome might
even set things up to self-sign or deliver a signature engine fairly
widely.  One can look at PGP as an example of this.

I don't see that there is any technical REQUIREMENT in TLS that I pay
anyone to act as my certificate authority.  I myself use it that way
sometimes but that's an implementation and deployment detail, not a
requirement of the protocol.

>Resent-Date: Fri, 7 Feb 1997 04:10:51 -0500
>Resent-Message-Id: <199702070910.EAA11516@www19.w3.org>
>Date: Fri, 7 Feb 1997 11:08:47 +0200 (SAT)
>From: Mark Shuttleworth <marks@thawte.com>
>To: Dennis Glatting <dennis.glatting@plaintalk.bellevue.wa.us>
>cc: billo@server.net, ietf-tls@w3.org, ssl-talk@netscape.com
>Subject: Re: secure tcp ports
>X-List-URL: http://lists.w3.org/Archives/Public/ietf-tls
>Resent-From: ietf-tls@w3.org
>X-Mailing-List: <ietf-tls@w3.org> archive/latest/593
>X-Loop: ietf-tls@w3.org
>Sender: ietf-tls-request@w3.org
>Resent-Sender: ietf-tls-request@w3.org
>> TLS requires a CA, unless one of the proposed shared key
>> mechanisms are adopted. There is not a global CA
>> infrastructure, more or less a US infrastructure. Worse, in
>> the US there is the real possibility of escrow. Associated with
>Begging your pardon,  but Thawte's strategy is entirely global.  Also,
>because we are based outside the US,  the only way we would consider
>escrow is if the US government explicitly banned the use of non-escrow
>keys within the US - an unlikely proposition.
>> most CAs is a financial transaction.  Though traditional use of
>> security (in particular, cryptography) has often been
>> labeled as "not for free", requiring investment in a CA or
>> purchase of a CERT gives the term new meaning.
>As soon as it's possible to conduct quality checks free,  there will be
>quality free certs.  Certification should not be an expensive thing at
>all.  We don't think so.
>Also,  I think we'll see "micro-certification" become important.  By this
>I mean the certification of small, easy to prove but also valuable
>relationships,  like "this key is managed by the person at the end of this
>email address".  Xcert, Thawte, Verisign, etc. all have projects that
>explicitly or implicitly suggest this trend.
>Mark Shuttleworth
>Thawte Consulting

               Rodney Thayer <rodney@sabletech.com>       +1 617 332 7292
               Sable Technology Corp, 246 Walnut St., Newton MA 02160 USA
               Fax: +1 617 332 7970           http://www.shore.net/~sable
                           "Developers of communications software"
Received on Friday, 7 February 1997 09:55:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:17:12 UTC