re:
http://www.garlic.com/~lynn/aadsm26.htm#32 Failure of PKI in messaging
another way of looking at the issue is somewhat alluded to in this blog post
http://www.garlic.com/~lynn/aadsm26.htm#1 Extended Validation - setting the
minium liability, the CA trap, the market in browswer governance
somewhat contrasting SSL domain name certificate with association branded
payment instruments.
the association logos also promote a feeling of comfort for people doing
transactions ... but they have quite a bit of regulatory and policy standing
behind those transactions for the benefit of the consumer ... something that
you don't find in any of the ssl domain name certificate operations.
at least in some of the PKI publicity and hype ... the concept was conveyed that a relying party could base trust purely on a digital certificate ... that the existence of a digital certificate provided all the trust that anybody would ever need. however, there is a big gap in the level of recourse provided to a consumer using an association branded payment mechanism ... and the recourse provided
to a consumer (relying party) by the existence of a digital certificate.
i would contend that basic fundamental asymmetric cryptography defined business process that
allowed an individual to somewhat equate digitally signed electronic communication nearly
equivalent to having face-to-face communication with an individual; aka it provided for
authentication and integrity. there was no sense of "trust" ... the concept of trust was
something that was associated with an individual or entity ... digitally signature somewhat put
electronic communication on level playing field with face-to-face communication ... allowing it to
be associated with a specific individual or entity. The issue of "trust" was separate
from being able to depend on that equivalence.
this starts out purely as certificateless operation
http://www.garlic.com/~lynn/subpubkey.html#certless
or this email from 1981 discussing using public key for secure communication
http://www.garlic.com/~lynn/2006w.html#12 more secure communication over the
network
various PKI related publicity and hype from the 90s basically attempted to equate
digital certificates (added to an underlying public key operation) would actually
provide the basis for "trust" between two parties that had no previous
interaction (aka this
is the letters of credit/introduction from the sailing ship days scenario).
part of the issue was that there was frequently nothing that actually provided
recourse to
the parties in the event that something didn't go quite as expected (which is
present
in the association branded payment mechanisms). such publicity/hype may also
account
for any confusion that ssl domain name certification ... while only the basis
for the owner
of a domain name is likely also the operator of a webserver (addressed by that
domain name) ... rather than actually the basis for a webserver that a person
thinks they are talking to is actually the webserver they are talking to.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]