Ian G wrote: > Duane wrote: > > > Nelson pointed out how bad email verification is, but what if that's > > all you can prove? > > > If email is the only use for the cert, one could make > a case that is good enough.
I agree if your only concern is the email address of the sender or recipient (e.g. maintain an ongoing discussion albeit anonymously) or the establishment of a re-usable 'trust session' with someone you will authenticate through other out of scope mechanisms. > > If HTTPS is the use for the cert, then as I suggested > in some other random long rant today (!) we could > always ask the domain owner to stick something in > the HTTP page. That's an interesting suggestion, it provides the same kind of authentication for HTTPS as the above does for secure email. If the session is initiated by the CA this proves the ability to control the host at the specified location. I wouldn't give them my CC# but it does create a relationship. I wouldn't provide any sensitive information to them as they could be hard to track down if were facing fraud as presumably I wouldn't know their identity. _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto