On Wed, 3 Sep 2003, James A. Donald wrote: > -- > SSH server public/private keys are widely deployed. PKI public > keys are not. Reason is that each SSH server just whips up its > own keys without asking anyone's permission, or getting any > certificates. > > Outlook and outlook express support digital signing and > encryption -- but one must first get a certificate. > > So I go to Thawte to get my free certificate, and find that > Thawte is making an alarmingly great effort to link > certificates with true name information, and with the beast > number that your government has assigned to you, which imposes > large costs both on Thawte, and on the person seeking the > certificate, and also has the highly undesirable effect that > using these certificates causes major loss of privacy, by > enabling true name and beast number contact tracing of people > using encryption. > > Now what I want is a certificate that merely asserts that the > holder of the certificate can receive email at such and such an > address, and that only one such certificate has been issued for > that address. Such a certification system has very low costs > for issuer and recipient, and because it is a nym certificate, > no loss of privacy. > > Is there any web page set up to automatically issue such > certificates? > > The certs that IE and outlook express accept oddly do not seem > to have any provision for defining what the certificate > certifies. > > This seems a curious and drastic omission from a certificate > format. > > Since there is no provision to define what a certificate > certifies, one could argue that any certification authority > that certifies anything other than a true name connected to a > state issued id number, the number of the beast, is guilty of > fraud. This would seem to disturbingly limit the usefulness > and application of such certificates. It also, as anyone who > tries to get a free certificate from Thawte will discover, > makes it difficult, expensive, and inconvenient to get > certificates. > > --digsig > James A. Donald
Here is an interesting post regarding the CA issue: http://lists.spack.org/pipermail/wordup/2003/000684.html You may want to look at http://www.cacert.org. It may do what you want.