[plug] Alternatives to Verisign/Thawte

Onno Benschop onno at itmaze.com.au
Thu Sep 18 20:26:22 WST 2003


On Thu, 2003-09-18 at 19:46, James Devenish wrote:
> In message <1063884679.2801.46.camel at latte.internal.itmaze.com.au>
> on Thu, Sep 18, 2003 at 07:31:19PM +0800, Onno Benschop wrote:
> > My whole point is that a certificate only works if you trust the person
> > who signed it.
> 
> As long as you have a reasonable belief that you are actually
> communicating with that party.
> 
> > If I start issuing certificates, then Matt stands up and says: "This
> > Onno guy is trust-worthy", then Ben stands up and says "Matt knows
> > what he's talking about.", then Jon says that "he knows Ben and he's a
> > good guy", and you know Jon, you can trust certificates that come from
> > me.
> 
> Correct, but only if I have knowledge of Jon's PKI data. I have to have
> received something from Jon and this is where we get into a viscious
> circle -- how do I know that I have received uncorrupted data that
> really belongs to Jon?

This is where signing parties come in isn't it?

> > A much larger problem is if a big organisation - say a telco -
> > chooses an authority that you don't recognise, and you don't see any
> > reference to that authority on their pages.
> 
> How does reference to their authority on their pages make a difference?
> How do I know I am really viewing *their* pages? I should hardly get
> both the certificate authority and the web certificate from the same
> source! It I had, say, a "fingerprint" from their certificate on a piece
> of paper in my pocket and could compare that with what I see on-screen,
> it should be sufficient. But imagine if you had to physically visit the
> offices of your Japanese webmail provider so that they could give you a
> fingerprint on a piece of paper?

The piece of paper is the same as a signing party - in terms of a
mechanism.


> > Please, if you felt threatend by my language, I'm sorry. If I'm wrong,
> > please correct me.
> 
> No, I am not threated by you when you are wrong, only when you are right
> and we are reasonably sure we were talking about the same thing.

ROTFL.


Ok, back to the original discussion, which was (if I paraphrased it
correctly) about authorities you can recommend.

Your point about the viscious circle is what we're really talking about
here isn't it. Most IE users have (conciously or otherwise) trusted MS
when they say that a CA is a trustworthy entity.

What I was trying to get across is that one CA is no better than any
other CA, we're really only comparing their level of trust in the
market-place - ultimately a case of advertising - and their level of
customer service.

What would happen if when you register a Buisiness Name you get issued
with an SSL certificate. You could then use that certificate to acquire
a domain name. The domain and the certificate would then be linked to
your business entity, and thus to the legal entity.

While this does not stop fraudulent businesses opening their doors, just
like registering a domain or a name doesn't, it would link all these
"virtual entities" together with one key.

Let it be known that I'm not in favour of this.

I'd *much* rather go and visit Matt, who visited Kimberly, who visited
Leon, who shook hands with Linus, and have my certificates signed by
one-on-one transactions.

As I wrote that, I began to wonder how you might scale that - you can't.

So, if this E-commerce thing is ever going to work for real - for most
things not just incedental things - we as a group of IT geeks are going
to have to figure it out and lead the way.

I keep coming back to PLUG issuing certificates, but I'm sure there's a
hole there somewhere too...

Could you perhaps issue certificates with a "level of confidence", which
relates to your level or participation in a community and the level of
confidence the members of that community have with the idea that you are
who you say you are?

(Sorry, wandered a bit off the question there...)

Onno Benschop 

Connected via Optus B3 at S15:51'18" - E128:45'05" (Crossing Falls, Kununurra, WA)
-- 
()/)/)()        ..ASCII for Onno.. 
|>>?            ..EBCDIC for Onno.. 
--- -. -. ---   ..Morse for Onno.. 

Proudly supported by Skipper Trucks, Highway1, Concept AV, Sony Central, Dalcon
ITmaze - ABN: 56 178 057 063 - ph: 04 1219 8888 - onno at itmaze dot com dot au

_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug


More information about the plug mailing list