ietf-asrg
[Top] [All Lists]

Re: [Asrg] S/MIME

2004-03-22 15:37:19
1.  This makes a great case for better verification at the time of the
certificate issuance.  Especially for code signing certificates from a major
software company.  Companies should be able to request extremely high
verfication standards for themselves from companies like VeriSign,
especially if you're Microsoft.

2.  This makes a good case for a defacto standard of built in HSMs on all
PCs.  I think the TCG "Trusted Computing Group" is pushing something like
that in their new standard.  Next month, the company I work for will release
our first notebook with a TPM built in.


George

----- Original Message ----- 
From: "Ken Hirsch" <kenhirsch(_at_)myself(_dot_)com>
To: <asrg(_at_)ietf(_dot_)org>
Sent: Monday, March 22, 2004 1:29 PM
Subject: Re: [Asrg] S/MIME


From: "Doug Royer" <Doug(_at_)Royer(_dot_)com>
No the identity matches the cert. Your talking about content fraud not
identity fraud.

Consider the following two scenarios.
1. A person lies to the CA about their identity, yet the CA issues them a
certificate.
E.g. http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx

2. An email worm installs spyware which steals certificates off of PCs and
installs keystroke logging software to steal the password.  A spammer uses
the
thousands of certificates to send email.

If either of these result in somebody sending mail claiming to be
"Doug(_at_)Royer(_dot_)com", is this identity fraud or content fraud?



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>