[plug] Alternatives to Verisign/Thawte

James Devenish devenish at guild.uwa.edu.au
Thu Sep 18 19:46:48 WST 2003

In message <1063884679.2801.46.camel at latte.internal.itmaze.com.au>
on Thu, Sep 18, 2003 at 07:31:19PM +0800, Onno Benschop wrote:
> Hold on, am I reading here that you're saying that getting a certificate
> from an authority (eg. one that MS trusted enough to build into IE), is
> a trustable certificate?

For a definiton of "trust" that means "the server on the other end is
almost certainly who it claims to be, has not been tampered with, and is
not having its connections intercepted by a malicious third party", then

> My whole point is that a certificate only works if you trust the person
> who signed it.

As long as you have a reasonable belief that you are actually
communicating with that party.

> If I start issuing certificates, then Matt stands up and says: "This
> Onno guy is trust-worthy", then Ben stands up and says "Matt knows
> what he's talking about.", then Jon says that "he knows Ben and he's a
> good guy", and you know Jon, you can trust certificates that come from
> me.

Correct, but only if I have knowledge of Jon's PKI data. I have to have
received something from Jon and this is where we get into a viscious
circle -- how do I know that I have received uncorrupted data that
really belongs to Jon?

> Again, if PLUG decides to issue certificates and enough people trust
> PLUG, it is as valid as a certificate as one from one that's built into
> IE.

No dispute there.

> A much larger problem is if a big organisation - say a telco -
> chooses an authority that you don't recognise, and you don't see any
> reference to that authority on their pages.

How does reference to their authority on their pages make a difference?
How do I know I am really viewing *their* pages? I should hardly get
both the certificate authority and the web certificate from the same
source! It I had, say, a "fingerprint" from their certificate on a piece
of paper in my pocket and could compare that with what I see on-screen,
it should be sufficient. But imagine if you had to physically visit the
offices of your Japanese webmail provider so that they could give you a
fingerprint on a piece of paper?

> Please, if you felt threatend by my language, I'm sorry. If I'm wrong,
> please correct me.

No, I am not threated by you when you are wrong, only when you are right
and we are reasonably sure we were talking about the same thing.

plug mailing list
plug at plug.linux.org.au

More information about the plug mailing list