On 26/09/11 20:28 PM, StealthMonger wrote:
Drill Grandma on one thing:
...REMEMBER THE KEY ID.
Actually, this is not only a reasonably interesting idea, it's part of
the PKI model. If Grandma gets defrauded by a false cert, and wants
some remedy, she has to identify who it was. Typically this would mean
keeping the cert (or KeyID) and presenting it to the CA.
Without being able to present these details, the CA won't even know if
it is their cert that is at fault. It could be a cert from their worst
enemy CA in another country. Or it could be a made up cert with no
crypto data in it and the browser is buggy... Or maybe grandmama is lying...
if you have a good CA, it's written in the CPS somewhere ... for what it
is worth:
" *Keeping Records.* Records should be kept, appropriate to the
import of the decision. The certificate should be preserved. This should
include sufficient evidence to establish who the parties are
(especially, the certificate relied upon), to establish the transaction
in question, and to establish the wider agreement that defines the act. "
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography