[plug] Alternatives to Verisign/Thawte

James Devenish devenish at guild.uwa.edu.au
Fri Sep 19 07:41:45 WST 2003


In message <1063925023.1155.9.camel at latte.internal.itmaze.com.au>
on Fri, Sep 19, 2003 at 06:43:43AM +0800, Onno Benschop wrote:
> While I understand what you're saying, that is only true when (and if)
> this starts. It's the same for when Thawte started. My whole point was
> that you have got to start somewhere.

With Thawte and Verisign, for example -- it's already been going on for
years! For a fee, Verisign will provide you with a certificate that you
can use as your own publicly-trustable certificate authority. That is to
say, you can sign certificates that will be trusted by run-of-the-mill
web clients because Verisign has certified that they trust you to sign
certificates. The only direct person-to-person contact that is necessary
is the process by which the certificates are signed -- this keeps the
burden on the service providers not the users.

Remember: all this is not to say that Verisign is certifying you as a
"resonsible online merchant" or a "reliable provider of webmail
services". It is simply an establishment of *identity*, and we assume
that the well-known CAs are only issue certificates to parties that
provide reasonable evidence of their legal identity. I think we both
understand this, but I wanted to make it clear that this is the position
I am coming from.

They say that everyone in the world is connected by no more than six
degrees of separation. So in your scheme of things, I won't have to look
far to find someone who knows Matt who knows Kimberly who knows Leon who
knows Linus, for instance. BUT we are not in a great situation. Although
Linus has "proven" to me that Leon is really Leon, Leon has not said
that Linus is really Linus. So, we need it to work "both ways".
Everyone that knows Linus (e.g. Leon) needs to sign Linus' certificate.
And everyone who knows Leon (e.g. Kimberly) needs to sign Leon's
certificate, etc. As you say, this does not scale well! And what if I
want to trade with an online merchant? Perhaps back in 1998, Linus knew
the proprieter of the online merchant and via this way I "trust" the
identity of the online merchant Linus because everyone has been signing
everyone else's certificates. BUT what if the merchant changes its name?
Linus and the merchant (and everyone they knew) now needs to remove all
the signing from their certificates and re-establish the trust using the
new name. (Doesn't scale well.) Instead, the current system puts all
this burden onto the well-known CAs and the people who want their
identities to be certified. When I visit a site, there is almost always
a direct relationship (no more than 12 months old) between Verisign (for
instance) and the site. The starting point is the fact that I have
Verisign's credentials with me on my computer. Or more to the point:
"everyone" has Verisign's credentials on "any" computer. This is the
starting point.


_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug


More information about the plug mailing list