Date: Sat, Jun 12, 1993 at 3:20 PM
From: cme(_at_)ellisun(_dot_)sw(_dot_)stratus(_dot_)com
Subject: Re: (Non-PEM) self-signed certificate
Your conclusion assumes that I have some contact with the person in
question besides via e-mail.
i considered that the initial question was generally about "rsa" certificates
and not just pem's use of them. my assumption is not that you have contact with
the person in other ways than email, but that your requirement is not just the
branding of a set of messages as coming from the same originator. that is, you
wish to be certain that the person has the authority to make the statements
contained in the message. i believe this means that you have to know and trust
the binding of the message originator to the real object. i believe this is
particularly true in commercial messaging such as a edi message from a
purchasing agent of a company.
If I "met" the person through e-mail (or postings) and have communicated
only that way and if all of those messages had been signed by the same key
-- then if I get a self-signed certificate signed by the same key, I have
received *proof* that this certificate is really for that person. It is
totally trustable.
In this case, "that person" means literally "the person who knows the
private key to match this public one" -- it says nothing about the person's
name or occupation or employer -- or even about how many flesh-and-blood
humans constitute that "person". (Eg., the boss's secretary signs his
letters to some people; even writes them to some.)
For many of my e-mail contacts, this is a fair description. I have never
met the person, I probably never will and I really don't care who the
person's employer is, what the person does for a living or what the
person's name is on his/her birth certificate. All I care about is that
this is the same person I've been conversing with all this time.
- Carl
i grant that this ability to insure that a set of messages came from the same
originator could be useful. what i don't understand is what a certificate (self
signed or not) brings to the party.
for example, if i received a signed message containing a public key and that
public key successfully validated the message, then all subsequently signed
messages that are successfully validated by that public key had to come from
the originator of the first message. what need is the certificate here?
i am in the office very late on a saturday night (oops, early sunday morning)
packing for a 18 day meeting in japan. i hope i can establish my email
connection from my hotel room. so i can continue this conversation.
hoyt