1. This makes a great case for better verification at the time of the
certificate issuance. Especially for code signing certificates from a major
software company. Companies should be able to request extremely high
verfication standards for themselves from companies like VeriSign,
especially if you're Microsoft.
2. This makes a good case for a defacto standard of built in HSMs on all
PCs. I think the TCG "Trusted Computing Group" is pushing something like
that in their new standard. Next month, the company I work for will release
our first notebook with a TPM built in.
George
----- Original Message -----
From: "Ken Hirsch" <kenhirsch(_at_)myself(_dot_)com>
To: <asrg(_at_)ietf(_dot_)org>
Sent: Monday, March 22, 2004 1:29 PM
Subject: Re: [Asrg] S/MIME
From: "Doug Royer" <Doug(_at_)Royer(_dot_)com>
No the identity matches the cert. Your talking about content fraud not
identity fraud.
Consider the following two scenarios.
1. A person lies to the CA about their identity, yet the CA issues them a
certificate.
E.g. http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx
2. An email worm installs spyware which steals certificates off of PCs and
installs keystroke logging software to steal the password. A spammer uses
the
thousands of certificates to send email.
If either of these result in somebody sending mail claiming to be
"Doug(_at_)Royer(_dot_)com", is this identity fraud or content fraud?
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg