In <[EMAIL PROTECTED]>, on 01/03/00
at 11:46 PM, bram <[EMAIL PROTECTED]> said:
>On Mon, 3 Jan 2000, Dave Del Torto wrote:
>> Here the plot thickens: If the only two sigs on the key at CDNOW are
>> the key-owner's sig and David's, then the ability of any CDNOW
>> customer to trust the key's security is based on David's "trustability
>> quotient" as well as the ability of CDNOW to prevent spoofing of its
>> webpages. Giving CDNOW the benefit of the doubt in this case, this
>> means that David has become the defacto PGP Certificate Authority for
>> CDNOW, which implies more liability than he's probably willing to take
>> on personally, so it may be that he's a CDNOW employee and therefore
>> has some legal protections (one hopes it's in his contract).
>Does it? I'm skeptical as to whether there's ever been a strong legal
>opinion written on this matter, so it's unclear what a court would say if
>someone tried to sue someone else who's PGP signature they relied on. I
>would hope that a court would rule that with the absence of clear legal
>wording in a 'signature' which is really just a technical artifact, it
>should be treated as rumor.
>Lack of clear legal meaning is a definite weakness of current public key
>systems. It may seem boring and tedious to work out detailed legal
>meanings of what all the public key technical artifacts mean, but unless
>those artifacts refer to specific meanings themselves, a court will make
>them up later, and will probably make them up in a way which the original
>authors (meaning you) aren't happy with.
Well I seriously have my doubts on the liability of any CA as to the
accuracy of their assertions of identity. If you go to a website that has
a VeriSign cert, and the identity info in the cert is wrong, there is no
contractual obligation between VeriSign and yourself. It would be
different if you were paying VeriSign to provide you with certified
identities of 3rd parties but last I looked this is not the business model
that they are using (nor is any other CA).
--
---------------------------------------------------------------
William H. Geiger III http://www.openpgp.net
Geiger Consulting
Data Security & Cryptology Consulting
Programming, Networking, Analysis
PGP for OS/2: http://www.openpgp.net/pgp.html
---------------------------------------------------------------
