On 8/12/11 09:55 AM, Jon Callas wrote:
On 7 Dec, 2011, at 11:34 AM, ianG wrote:
Right, but it's getting closer to the truth. Here is the missing link.
Revocation's purpose is one and only one thing: to backstop the liability to
the CA.
I understand what you're saying, but I don't agree.
Sure. One way to look at this is the pure scientific way. Several
theories have been proposed. Which best explains the state of the world?
I.e., my theory explains why we're having this conversation, e.g., the
multiple "strange directions" and perpetual confusions.
CAs have always punted liability. At one point, SSL certs came with a huge
disclaimer in them in ASCII disclaiming all liability. Any CA that accepts
liability is daft. I mean -- why would you do that? Every software license in
the world has a liability statement in it that essentially says they don't even
guarantee that the software contains either ones or zeroes. Why would
certificates be any different?
Certificates are different because they make a positive claim that
speaks of reliance. Other stuff doesn't do that (e.g., software).
I don't think it really exists, not the way it gets thrown around as a term.
Liability is a just a bogeyman -- don't go into the woods alone at night,
because the liability will get you!
Software doesn't make a claim, so liability disclaimers probably work
fine. Certificates make a claim, so simply disclaiming the claim is
problematic. One needs a much cleverer integrated strategy in order to
neutralise the claim.
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography