At 06:28 AM 5/27/2007, Allen wrote:
Validating a digital signature requires getting the public key from
some source, like a CA, or a publicly accessible database and
decrypting the signature to validate that the private key associated
with the public key created the digital signature, or "open message."
Which lead me to the thought of trust in the repository for the
public key. Here in the USA, there is a long history of behind the
scenes "cooperation" by various large companies with the forces of
the law, like the wiretap in the A&TT wire room, etc.
What is to prevent this from happening at a CA and it not being
known for a lengthy period of time? Jurors have been suborned for
political reasons, why not CAs? Would you, could you trust a CA
based in a country with a low ethics standard or a low regard for human rights?
Which lead me to the thought that if it is possible, what could be
done to reduce the risk of it happening?
This (if I'm understanding you correctly) is exactly the thing that
the web of trust [1] is intended to address. One issue with the web
of trust is how to bootstrap it. My understanding is that in the case
of PGP, this was handled by Zimmermann publishing his public key in
the (dead-trees) version of his book.
Udhay
[1] http://en.wikipedia.org/wiki/Web_of_trust
--
((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]