On Tuesday 05 November 2002 11:19 am, Pablo Manalastas wrote:
> Why can't the same server that handles your mail also give out
> certified public keys of people whose mail it handles anyway.
because, as stated in your scenario above, there are no limits to
who gets to certify which people. anyone can set up a mail server,
does that mean that any cracker who can create an account
on his mail server named "[EMAIL PROTECTED]" can create a
certificate for that account? sure, a lot of people will catch the
misspelling, but some won't. and for some of those who don't,
money may be lost to one or another scam.
what the commercial certificate authorities provide is a tree of
trust which has only a few roots, and which has an economic
incentive to do its certification correctly (since it can be sued
for negligence, and it can suffer a loss of market share due
to negligence). now, of course mistakes will still occur (e.g.,
there was that thing some years ago when someone scammed
a CA to create some certificates that were supposed to be
for microsoft but were actually delivered to non-microsoft
people [i forget the details, no doubt someone will help me
here]), but there is a feedback system for punishing those
who make mistakes and perhaps one or two different ways
for the people who lose money because of such errors to
either recover their losses from the CAs or at least punish
the CAs and hurt them enough so that they get more serious
about maintaining the integrity of the certificate authentication
process.
my take is, any ad-hoc system that has no hard incentives
against fraud or simple mistakes cannot be the basis of a
generally useful certificate verification system unless the
data to be protected by the system is worth very little.
tiger
--
Gerald Timothy Quimpo tiger*quimpo*org gquimpo*sni-inc.com tiger*sni*ph
Veritas liberabit vos.
... region del sol querida, Perla del Mar de Oriente,
nuestro perdido Eden! ...
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
