[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Root Certificate integration of DFN-PCA
From:       Andreas Pour <pour () mieterra ! com>
Date:       2002-02-21 19:44:39
[Download RAW message or body]

George Staikos wrote:
> 
> Yes you found the right person! :)
> 
> You are the second person to ask about this.  Last year an organization in
> Poland also requested for us to import their root certificate.  We had a very
> long discussion about this and did not accept their request due to legal
> issues.  Basically we have no way to defend ourself if someone asks us to
> import their certificate and a konqueror user gets scammed from this.

Hi,

Just to clarify on this point a bit.  The issue is one of legal
authority.  As you know, certificate issuers have procedures in place to
verify that (i) the organization seeking the certificate is legitimate
(easy in this case); (ii) that the organization has authorized the root
certificate; and (iii) that the person submitting the root certificate
is authorized to do so.  Probably there is something else I'm missing,
but those are the essential issues.

With respect to a root certificate the issue is far more serious.  There
is no way for us to know you are who you claim to be, or, even if so,
that you are authorized to provide your institution's root certificate. 
Verifying this entails certain legal procedures that we are ill-equipped
to handle on our own.  It's not that they would be overly complicated,
but you can see the problem if, say, some cracker posing as an official
convinced us to include a root certificate in the browser.

I recall, when the previous official contacted us, we concluded that we
could do this if the requester paid for the legal services we would
incur to make sure we are using proper procedures to verify the facts. 
I do not know how much this would cost, as this official lost interest
at that point.  Of course once the procedures are in place, it would be
substantially easier to address subsequent requests.

Sorry for the inconvenience this may cause you, but I hope you
understand that we need to act responsibly in these matters.

Regards,

Dre
[prev in list] [next in list] [prev in thread] [next in thread]