Dennis Glatting wrote:
> Certificate trust is a very relative concept. The focus here seems to
> be trust in an identification and issuing system. That is not the same
> as trust in certificate use. Certificate theft is but one very real
> problem that undermines the credibility of certificates in general.
>
> If people install certificates on their PCs, as we would expect, the
> incident of break-in and theft (e.g., lap tops) is currently very
> high. Because most private keys are protected by poorly chosen
> passwords, and a successful decrypt of a private key can be verified
> against the public key on the same machine, trust of a certificate use
> system is very low. (To make matters worse, at least in some parts of
> the USA, a signature can be legally binding.) Additionally, not one
> web site I have visited in the last year has asked for my client
> certificate, so the value of having a client certificate, seems to me,
> is zero.
This is because actually everyone thinks about certificates as an
enhanced e-commerce, but that's not. E-commerce works great and does
not need CAs ...
if we do agree to take the digital certificates to the level of ID, then,
if we trust our gov. as a CA, then we can vote, sign a contract and
so on via Internet (or digital means) so giving impovementes in real
life...
> Another issue that undermines certificate credibility is few systems,
> including web servers and browsers, actually check CRLs. If you don't
> check CRLs then PK anything is almost meaningless.
Not only CRLs, it is true that almost no software you find currently
supports OCSP... ok, that's true, but that is not the point: writing
software to implement support to verification services is not a problem
for the internet community. I don't think this to be the real problem.
> So, I don't see any guarantee or meaning to any on-line ID except in
> limited environments.
If we cut the implementation from the model, we can think about starting
to develop this kind of view and getting ready for the implementation to
come: technical problems usually get solved in short periods when there
is the need of them by the communitiy and many protocols and studies are
carried out everyday (smart-cards with crypto chips/OCSP/SCVP/etc...).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
