I have a problem of maybe misunderstanding concerning the certification process
which is closely related to the ongoing certification discussion. RFC 1424
specifies, that certificates may be requested by sending electronic mail to
a CA. It also sais, that CAs may require other forms of request too. Now,
in the case of using electronic mail only, I do not see any chance of guarantee
that the certificate has any meaning at all, if the email request is not
signed already (conflict). Is this solution just a compromise to not beeing
able to handle request in a more secure way in the starting phase? Is it just
meaning that this possibility exists, even if insecure? If I know, that
it is possible to get a fake certificate by a fake email message, why should I
trust any signature at all? Maybe I overlooked something. Please clear
the fog......
Peter
--
Dipl.Ing. Dr. Peter Lipp - Institute for Applied Information Processing
Technische Universitaet Graz, Austria (University of Technology, Graz, Austria)
plipp(_at_)iaik(_dot_)tu-graz(_dot_)ac(_dot_)at