ietf
[Top] [All Lists]

RE: Certificate / CPS issues

2003-06-06 10:16:21
Signs keys for people you don't LIKE?

I give (well sell) certs to plenty of people I don't LIKE. That is not the
issue, the issue is whether the authentication proceedure is being applied
as stated in the CPS or not.

If a bogus certificate is issued and the CA refuses to revoke it then you
have a big problem.

In your scenario what happens if you find out that Ted Tso or Jeff Schiller
has signed a bogus key. Do you then revoke every key they ever issued on
that account?


Please remember here that we are trying to solve the spam problem here. The
guys sending the stuff are organized criminals. It is bad if even one
criminal spam gets through. But it is also bad if you can't use email unless
you go pay $10,000 to some email good practice accreditation agency (yes
thay is what they charge).

So yes we can use certificates to address the spam problem, but don't expect
the criteria to be set at military security levels. Most people simply won't
pay for that.

                Phill

-----Original Message-----
From: Pete Resnick [mailto:presnick(_at_)qualcomm(_dot_)com]
Sent: Friday, June 06, 2003 12:10 PM
To: Hallam-Baker, Phillip
Cc: 'ietf(_at_)ietf(_dot_)org'
Subject: RE: Certificate / CPS issues


On 6/6/03 at 7:41 AM -0700, Phillip Hallam-Baker wrote:

Do you think that folk signing PGP keys are undertaking unlimited 
liability should the certification turn out to be incorrect?

No, but if Mary turns out to be someone who signs PGP keys for people 
I don't like, I can simply say "Don't trust Mary" in my PGP 
application and the things she signs won't show up as valid unless 
someone I do trust signs them. If RSA screws up and signs keys for 
people I don't like, I can't (practically) say "Don't trust RSA" 
without invalidating a bunch of keys that I probably do want to trust.

I'm not by any means saying that PGP is a perfect solution. It's just 
that the liability scenario is very different because amount of 
damage any given signer can do is much different.

pr
-- 
Pete Resnick <mailto:presnick(_at_)qualcomm(_dot_)com>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: 
(858)651-1102




<Prev in Thread] Current Thread [Next in Thread>