Yes, there is only one signature per certificate. But don't forget that
you can have more than one certificate (depending on their individual
purpose), each issued by different CAs.
There are some multinational initiatives that try to address the problem
of trust between countries (I assume that in each country this issue can
be easily solved as in Sweden, Portugal, etc). Some of these initiatives
are already public like the EU Directive on Qualified Certificates. This
doesn't imply that we'll need a common root of trust, don't forget
cross-
-certification but this method is not to be abused, otherwise we'll end
up with a PGP aproach.
Finally, the PGP aproach is not acceptable to business because trust has
not the transitive property. So that's why the TTP entity was created,
to
provide trust between 2 entities which don't know each other and which
is
accountable if something goes wrong.
Regards,
Richard Levitte - VMS Whacker wrote:
>
> From: Kent Crispin <[EMAIL PROTECTED]>
>
> kent> Just thinking out loud...
> kent>
> kent> Note that the PGP "web of trust" model works without a centralized CA,
> kent> and that free key servers exist. Perhaps there is some hybrid possible,
> kent> where people can register for free/low cost, and can also register as
> kent> independent CAs. By gaining endorsements from other registrants,
> kent> gradually build up a hierarchy of signers that are considered extremely
> kent> trustworthy -- these highly endorsed signers would effectively be mini
> kent> CAs, with high reputation in the community...*why* they are considered
> kent> trustworthy wouldn't need to be addressed, and they could market their
> kent> trustworthiness however they thought best...
>
> And there we have the difference in philosophy between the two systems
> in a nutshell.
>
> What you say is a nice thought, and I'd very much like to see
> something like that, but I see one problem with it, at least with the
> current definition of RFC2459 certificates (as I understand RFC2459.
> If I'm way wrong, please tell me): there can only be one signature for
> each certificate.
>
> The consequence of this is that you can't really get a web of trust
> with RFC2459, you rather get a hierarchy of trust, which means that
> sooner (or later, but I don't really believe that), you will end up
> with some kind of institution at the top that everyone trusts. And I
> hardly see this kind of hierarchy ever becoming a system of _personal_
> trust that is the basis of the PGP web of trust.
>
> In any case, there are already institutions that we (or at least,
> that's how it works in Sweden) give a certain amount of trust to hold
> the ultimate proof of our identity (in Sweden, it's the IRS, of all
> things). It would be quite natural for those to start handing out
> certificates. I think this has already started, or at least that the
> fuondation for such a thing are being layed out, but I'm sure there
> will be one or another trivia master who will correct me on this :-).
>
> --
> Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED]
> Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
> Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
> Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
> Member of the OpenSSL development team: http://www.openssl.org/
> Software Engineer, Celo Communications: http://www.celocom.com/
>
> Unsolicited commercial email is subject to an archival fee of $400.
> See <http://www.stacken.kth.se/~levitte/mail/> for more info.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
=======================================================
Bruno Salgueiro (mailto:[EMAIL PROTECTED])
SIBS - Sociedade Interbanc�ria de Servi�os
Rua Soeiro Pereira Gomes, Lote 1, 1600 Lisboa, Portugal
Tel: + 351 21 791 88 33
Fax: + 351 21 794 24 40
http://www.sibs.pt
Esta mensagem foi assinada com certificado MULTIcert.
Para obter o certificado da Autoridade de Certifica��o
PILOTO MULTIcert dirija-se ao site
http://www.sibs.multicert.com
"Computers are useless. They can only give you answers."
--Pablo Picasso
=======================================================
S/MIME Cryptographic Signature
