From: John Lowry <jlowry(_at_)bbn(_dot_)com>
Not a stupid statement, but incorrect nonetheless ... :-)
I have to agree with Stephen - the statement is correct.
The user has certain responsibilities with respect to the private
key - the primary one being not to disclose it to others. Without
that restriction on the user's behavior, there is nothing the
CA or the Relying Party can do to ensure that certification
is meaningful.
Another responsibility of the user is not to "disclose" it to
his or her alternate personalities :-) by requesting certification
of the same key under different policies or practices. Yes,
it is impossible for the CA to ensure that a given key has not been
certified elsewhere by the same user. But that is no more impossible
than for the CA to ensure that the key has not been certified elsewhere
by a *different* user (i.e. that the private key has not been
compromised).
I think this is an application issue and can be solved by binding
the signing certificate chain with the signed document.
Denis Pinkas would agree with you that binding the certificate or
chain to the signed data is a good idea. I don't disagree
with that in principle, but I regard it as an additional
"protection in depth" measure, not the first line of defense.
As a standard practice, keys should not be multiply-certified.
Specific exceptions can be made when the implications are
well-understood (recertifying a key at validity expiration, changing
administrative details such as name or organizational unit *IF* those
details are not critical to Relying Parties, augmenting the user's
privileges, etc.)