Valdis.Kletnieks@vt.edu wrote:
On Wed, 12 Mar 2003 15:37:23 MST, Doug Royer <Doug@Royer.com> said:
If you are talking about TLS certs (not S/MIME certs) then the ISP can issue them to the customer directly (be a CA for connections from their customers over TLS connections). I have read that the customer can be given instructions on how to add the ISP cert as a trusted CA for that usage on M$ products.
Non-scaling.
The *OTHER* end of the connection won't recognize the ISP's CA, most likely.
Maybe I misunderstood part of the previous e-mail ...
The other end would be the ISP's customer. I was not talking about exporting the CERT to non-customers. I was talking about the ISP issuing CERTs for their customers and rejecting all others to port 25 for relaying. It allows roaming and is cheaper because for "ISP-A" from/to "ISP-A customers", you do not need to buy a cert.
So if I connect to a ISP-A port 25 and use a NON-ISP-A cert then relaying is not allowed even when the cert is valid and from an otherwise trusted CA. However ISP-A's customers can now have multiple (what ever it is called in the cert) domains and they can relay ONLY with their own ISP for ISP controlled domains. And if you add authentication, now the ISP can control which user(s) can relay specific domains.
And I agree with you, the big cert vendor - is not going to do that for random customers.
--
Doug Royer | http://INET-Consulting.com -------------------------------|----------------------------- Doug@Royer.com | Office: (208)612-INET http://Royer.com/People/Doug | Fax: (866)594-8574 | Cell: (208)520-4044
We Do Standards - You Need Standards
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature