Bob,
Let me add a tiny bit to Ken's reply. Because DISA is part of the
U.S. Government, there's no direct charge for PCA service. As far as
we were concerned, all he had to do was convince us he was the
appropriate speaker for the portion of the Government he represents.
As a general matter, we expect to deal with people at various levels
in organizations. We expect that PEM will be used within small
portions of an organization at first and then be used more broadly
later. Accordingly, we expect to sign up small groups when they ask
to be signed up, and then we expect to work with them to expand their
hierarchy later. For example, if you set up a CA within GTE and asked
us to sign the certificate for the CA, we would ascertain how much of
GTE you were representing and we would check that the dname in the CA
certificate corresponded to that scope. If you, or someone else at
GTE, were to come to us later and try to expand the scope, we'd be
happy to do so, assuming the appropriate representations were made.
This procedure applies to companies, universities and government
agencies alike.
Steve
I would be quite interested to know what type of organizational
hudles, if any, you had to go through to sign a contract (if you
had to sign one) with TIS to be a CA, and even more importantly,
how much effort it took to get DISA management to sign off
on the use of digital signatures for CERT purposes.
Were any restrictions placed on the use of these certificates
for any other purposes?
I would be DELIGHTED to be wrong, but my perception
is that so far not one single organization has jumped
through all of these legal hoops and set up a real,
honest-to-God, non-beta use of digital signatures and
X.509 certificates, and I am growing increasingly
concerned.
If you or anyone else has actually cracked this particular
nut, I think it would be very beneficial to educate the rest of us
as to what it took. Maybe we can use it as a reference sell.
Bob