[plug] Alternatives to Verisign/Thawte

James Devenish devenish at guild.uwa.edu.au
Fri Sep 19 08:03:06 WST 2003


I'm going to do a little pre-emption here. It might be unnecessary.

In message <20030918234143.GA4121 at mail.guild.uwa.edu.au>
on Fri, Sep 19, 2003 at 07:41:45AM +0800, James Devenish wrote:
> Everyone that knows Linus (e.g. Leon) needs to sign Linus' certificate.

Someone might argue that this is not the case: trust for Linus could be
established in a different way. For instance, if I visited Linus'
website (assuming he has one) and saw a fingerprint for his certificate,
I could compare this to the certificate I received from Matt. If there
is a match, I say that Matt has been certified in a chain of trust that
is itself trustable (I obviously can't ask Matt for this information
since that would provide sufficient opportunity for him to defraud me --
hypothetically). BUT:

 - Getting a fingerprint on Linus' site relies on Linus having a website
   that is always at the address specified in the certificates. What if
   his ISP changes? Verisign, for comparative purposes, will "always"
   have a website that is at the address specified in certificates.
   Convenient, eh?
 - This also relies on me being sure that Linus' website has not been
   modified and that my communication with his site has not been
   intercepted or modified. He could just sign the content of his site
   so that part of the problem is solved. But to be sure that the
   communication is secure, I need to make use of PKI. So I need him to
   have a site certificate that is signed by someone I trust. DOH! I'm
   back to where I started -- I need to establish an infinite number of
   chains of trust (impossible), or have everyone sign everyone else's
   certficiates (impractical), or establish circular chains of trust (oh
   dear) via this person-to-person contact idea!


_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug


More information about the plug mailing list