On Mon, Oct 06, 2003 at 05:42:36PM -0400, Ken Hirsch wrote:
This is not generally true.
Agreed.
I have proposed a specific anti-spam certificate which would only be issued
when the subscriber states what anti-spam policy will be followed and
contractually agrees to it.
We're still lacking a classification of anti-spam policies ;-)
And exactly this is the reason why I don't "trust":
1) I don't trust CAs in general, because they have done
(Verisign/Microsoft)
and probably do enough bullshit with certs. (If I look at what happens
when customers buy certs ... oh my god).
The fact that Verisign made a mistake is not a good argument. No system
will ever be perfect and certainly the PKI is relatively new. Verisign
detected the mistake within a reasonably short period of time and acted to
correct it.
Granted.
But there is no working way to revoke certs currently (and I don't mean
any experimental services). If a CA revokes a cert for a servername within
the expiration period I'd bet 98% of all browsers/mail clients in the
Internet will /not/ recognize it as revoked.
Sorry, but the fact that PKI is relatively new is IMHO even lesser an
argument. CAs charge a lot of money and they sell dreams and they try to
fake the users into trust (and that's what really makes me angry).
A proof that revocations don't work is the fact that even antivirus
companies had to add the cert to their lists to make them detectable.
See Thawtes' SiteSeal for example (another VeriSign company). It is used
to display an image on a website to tell the visitor "this site is
secure and you can trust it and this is certified by Thawte". This is
IMHO bullshit, as the users don't look at the security information of
their browser anymore but rather at the image. Suppose I have
www.thawet.com
how long does it need with a graphics program to fake that sign and all
will ignore the warning, because they see the image that says "trust me".
And no CA will give me any cent back if the certified website takes the
money from my (and others) credit cards and lives happily thereafter on
the Cayman Islands. They will however say "it's your fault, why did you
trust them?".
So why should I trust any cert that I haven't made myself?
If someone has suggestions for improvement to the PKI, or an alternative to
it, by all means let us know. I haven't seen any system (e.g. "web of
trust") that was actually workable.
That's why I said that I trust neither of them.
IMHO there should be international binding guidelines what has to be
checked and validated before a cert is issued. And there has to be
a common jurisdiction in that area. As long as I can patch my documents
I have to send to the CA and they have to believe it as they don't
contact e.g. german Authorities to validate it the certs are for
/dev/null and only useable for the CA as cash machine (as is every new
TLD ;-)
But this is getting way off topic IMHO so we should stop here and not
have Yakov to remind us.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg