Arshad Noor wrote: > While third-party verification is not the real issue, the issue > is: can the third-party itself be trusted? Who remembers the > Verisign debacle from a few years ago with the Class-3 digital > certificates issued through a social engineering attack, in the > name of Microsoft? > > http://news.com.com/2100-1001-254586.html?legacy=cnet > http://www.eweek.com/article2/0,1895,1243314,00.asp
there is actually several separate issues, some of which are * who is doing certification * what process are they using for certification * are they willing to accept liability associated with their certification * how is the certification represented using a taxonomy that clearly delineates the difference between certification of information from using digital certificates for representing that certification process ... somewhat shows up some of the fallicy of self-signed digital certificates .... part of this is sometimes people seem to be confusing the existance of a digital certificate as having some magical certification quality all by itself ... rather than as a representation of some certification process. PKIs and digital certificates are a business process to address the letters of credit paradigm from the sailing ship days for offline certification representation ... i.e. the relying party has no mechanism for doing real-time and/or online checking the validity of the information. furthremore, current generation of certification authorities have tended to be independent 3rd parties who are checking with various authoritative agencies as to the validitity of some information and then issuing certificates that represent that such a checking process has been done. they typically haven't been the authoritative agency actually responsible for the verified information. as the online world with the internet becoming more pervasive ... some of the authoritative agencies actually responsible for various kinds of information being verified have looked at providing online, real-time verification services associated with the information in question (as opposed to the stale, static certificate model that was designed to meet the needs of relying parties that had no direct way of actually contacting the authoritative agency for directly verifying the information). to some extent, as the online, internet world has become more pervasive ... the target offline market for digital certificates has shrunk and there has been some migration to the no-value market segment. rather than the relying party being unable to directly contact the authoritative agency responsible for the information, the no-value market has the relying party doing operations where there is insufficient value justification for directly contacting the authoritative agency (aka no-value operations). even this market segment is shrinking as the internet is not only providing pervasive world-wide online connectivity but also drastically reducing the cost of that online connectivity world-wide. a couple related posts on the subject: http://www.garlic.com/~lynn/2005s.html#43 P2P Authentication http://www.garlic.com/~lynn/aadsm21.htm#20 Some thoughts on high-assurance certificates http://www.garlic.com/~lynn/aadsm21.htm#21 Some thoughts on high-assurance certificates misc. collected past posts on ssl domain name server certificates http://www.garlic.com/~lynn/subpubkey.html#sslcert misc. collected past posts on certification enviornments that can be done w/o requiring digital certificates for representing that certification http://www.garlic.com/~lynn/subpubkey.html#certless _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto