The Ultimate Business Machine - Archives
List of Categories : Database * Technology * Commentary * Singapore * Travel *
Sun 17 Jul 2005
Certificate Signing - Dead End
Category : Technology/chainOfTrust.txt
I'm going to wrap up my exploration of digital certificate signing, at least for a while until I get better ideas, but this is why I think I've hit a dead end.
According to the man page on the OpenSSL verify command, which is used to verify that a cert is OK all the way up its trust chain, one of the checks it does is to make sure that the issuer of a cert is actually allowed to sign certs :
So, the freessl cert that I bought, which I was hoping will allow me to sign certs in turn for Hai Hwee, Bee Khim, Brendan, etc..., does not include cert signing among its allowed uses.
So I think it's not the technology. We've got everything there in OS X, under the OpenSSL umbrella of commands, to do it - , i.e., sign certs as a valid intermediate Certification Authority, so long as we have a valid cert that will allow us to establish that "chain of trust". Whatever limitations now are man-made.
This is what irks me about the whole SSL, digital certs thing. It does use some relatively esoteric Unix incantations but it's all clearly understandable. The first time I bought a Verisign cert, I was awed by all this PKI "our facility is protected by seven rings of security" thing. But you could do all this on your Mac.
We need digital signatures and message encryption more than we need these guys to insert themselves into the "Chain of Trust".