Hello Cris,

Cris Bailiff wrote:
> Götz,
>
> (sorry for being late with this - been on holiday)
I will start my holiday now...

> I'm a bit confused as to your description of the purpose of the TC Class 0 CA
> certificate. It arrived in curl's ca-bundle because this file was taken from
> the mod_ssl distribution, wihch contains the same list of CA information.

As I've written you with a private mail:

The Class 0 CA issues demo certificates with a validity of one month.
Since it is a demo, no checks on the subject are done.

It was never intended to be in any list of trusted CA certs.

The reason it was added to netscape was (AFAIK) the result of a
communication error.

It seems we had a blind spot there,
but we never realy realized it was in the list.

A few weeks ago a german computer magazine (IX)
had an article about SSL security.
In this article the certificate was mentioned.

Since then I'm working to get it out of production.

But since it is no key compromise,
the user base is small (Netscape 4.X)
and the CA is used by some customers and
I am not alowed to LART stupid acting people anymore,
marketing is slow on deciding how to handle
this event.
But at least I was able to wake _some_ people.

I at now start my holiday and
if the certificate is still in production the day I return,
I'll have a nice little talk with our CTO...

Bye

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en