Ed Gerck wrote:
Also, in an effort to make their certs more valuable, CAs have made digitally signed messages imply too much -- much more than they warrant or can even represent. There are now all sorts of legal implications tied to PKI signatures, in my opinion
largely exagerated and casuistic.

as discussed in numerous non-repudiation posts, dual-use threat posts, and posts about human signatures .... where the human signature implies that the person has read, understood, authorizes, approves, and/or agrees with what is read and understood .,...

the validation of a digital signature with a public key implies that the message hasn't been altered since transmission and there is "something you have" authentication (the originator has access and use of the corresponding private key). the simple validation of a digital signature doesn't carry with it any of the sense of a human signature and/or non-repudiation.

in most business scenarios ... the relying party has previous knowledge and contact with the entity that they are dealing with (making the introduction of PKI digital certificates redundant and superfluous). Furthermore, x.509 identity certificates possibly horribly overloaded with personal information would reprensent significant privacy issues.

i've claimed that in the aads effort
http://www.garlic.com/~lynn/index.html#aads

not having to be pre-occupied with trying to interest relying parties in digital certificates containing information they already had .... we were more free to concentrate on general threat, risk and vulnerability analysis. for instance, one of the things that a relying party might be really interested in is the integrity of the environment housing a subject's private key (is it in a software file or a hardware token, if a hardware token, what are the characteristics of the hardware token, etc) and the integrity of the environment in which a digital signature was generated.

one possible scenario is that CAs wanted to convince relying parties in the value of the certificates and not distract them with fundamental business integrity issues ... which might have resulted in businesses diverting money to fundamental business integrity items ... rather than spending on redundant and superfluous digital certificates likely containing information that they already had (i.e. having digital certificates would result in magical fu-fu dust being sprinkled over the rest of the infrastructure automagically precluding any such integrity problems?). furthermore they could spread semantic confusion ... somehow implying that because the term "digital signature" contained the word "signature" ... it was somehow related to a human signature.

lots of collected past postings related to fraud, exploits. vulernabilities, etc
http://www.garlic.com/~lynn/subpubkey.html#fraud

some number of posts on account number harvesting
http://www.garlic.com/~lynn/subpubkey.html#harvest

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to