Ted wrote:
Meanwhile, we haven't even been able to get our act together to generate
a PEM root key; my understanding is that this at least partially related
to the liability involved in running a root which *everyone* has to
trust, although there may be other show stoppers as well.
Bob replied:
That is an issue I can be very sympathetic to. I sure as hell wouldn't
undertake such a liability, especially for free!
Maybe we ought to confront this issue head-on as well. I see two ways
around this problem:
1. Get one or more sovereign governments to undertake the
responsibility, since the circumstances under which governments can
be sued are quite limited.
...
This is not going to happen in any reasonable time frame.
2. Abandon the notion of using the IPRA to sign all of the
certificates of all of the PCAs, and use a direct trust model to
install self-signed PCA certificate(s) in the user's software. That
is what will have to be done with the IPRA certificate in any case.
Since we have to have support direct trust anyway, this seems like the
direction we're headed in.
Steve