[Top] [All Lists]

Re: Weakening the rigid hierarchical trust model

1997-12-31 15:40:46
NoSpam wrote:
<ideology excised> 

Accordingly, I advocate a technical specification that fully permits
self-signed certificates, that promotes their ease of transfer with the
message content, that provides for their review by the recipient, and for
his informed choice to accept or reject the certificate for various usages.
To treat (at the standards level) some certificates as first-class and
convenient, and others second-class and less convenient, based upon the
IETF working group's assessment of who has signed them, is paternalism,
reaching into the political and ideological mire of parochial and
provincial interests.

1. One may insure that a choice is pro-active rather than accomodating,
without being paternalistic. Thus making it necessary for a user to obtain
self-signed certificates  of unknown bona fides via seeking behavior, rather
than by easy acceptance of a choice screen (how often have users selected the
"wrong" option either inadvertently or through error), is simple prudence
appropriate to inclusion in an internet-wide standard expected to be affect
many novices. The principle of positive action networks has been well
understood for years, particularly in the security field.

2. The notion that levels of security somehow make lower levels "second class"
(with overtones of social injustice) is simply incorrect. The discussion is
about whether to distinguish those CAs meeting agreed standards (as indicated
by certification by some higher-level authority, possibly ultimately through
the IPRA) from CAs about which one knows nothing a priori from the
certificates in that they are self-signed. Since the distinction can be of
major security significance, it is reasonable for users to have to seek out
and obtain such self-signed certificates through positive action pull rather
than through simple acceptance of a push. 

The notion of being able to push malign certificates (since self-signing CAs
opens the door wide to that) on trusting users seems to me to be a pernicious
one not unrelated to that of free junk mail. While it is true that one can
always refuse to read such junk mail, distinguishing is a difficult task,
users are often harried with much mail, and issuers often go out of their way
to disguise such mail to take advantage of ambiguity and uncertainty. Far
better to use a pull system where users request such material if they want it.


<Prev in Thread] Current Thread [Next in Thread>