On Thu, 23 Dec 1999, Massimiliano Pala wrote:
> What if certificates could be issued by Municipalities CAs ? Just
> like they issue ID cards ? I mean, now you need a credit-card to
> demonstrate you are you and able to spend... thnik about the
> possibility to get certificates issued by govenaments
> (municipalities for examples) ... they are trusted because, if
> standards and policies are matched, you generally trust your
> governments (at least if you are not American... :-D It's a
> joke... ). That would guarantee your ID online and open services
> that could be offered to nearly every application you can think
> of....
>
Certificate trust is a very relative concept. The focus here seems to
be trust in an identification and issuing system. That is not the same
as trust in certificate use. Certificate theft is but one very real
problem that undermines the credibility of certificates in general.
If people install certificates on their PCs, as we would expect, the
incident of break-in and theft (e.g., lap tops) is currently very
high. Because most private keys are protected by poorly chosen
passwords, and a successful decrypt of a private key can be verified
against the public key on the same machine, trust of a certificate use
system is very low. (To make matters worse, at least in some parts of
the USA, a signature can be legally binding.) Additionally, not one
web site I have visited in the last year has asked for my client
certificate, so the value of having a client certificate, seems to me,
is zero.
Another issue that undermines certificate credibility is few systems,
including web servers and browsers, actually check CRLs. If you don't
check CRLs then PK anything is almost meaningless.
So, I don't see any guarantee or meaning to any on-line ID except in
limited environments.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
