Rhys and Steve both made some good points, which I'd like to acknowledge in
separate
messages.
At the risk of over-simplifying, Steve pointed out that there are a number of
users
for whom unforgability is very important, but not necessarily in a commercial or
legal sense. If the president of a university or the general manager of a plant
or
office broadcasts a message that the facility will be closed tomorrow due to
inclement weather, it is very important that his message not be spoofable, for
the
pranksters have a good imagination. (It's also important that the president
avoid
possible replay attacks, such as sending out a digitally signed, fully
authenticated
message that says, "The facility will be closed tomorrow" without specifying the
exact date, but that's a different problem.)
I agree, and both the naming and the degree of assurance that is provided by
CAs and
PCAs does not need to be as rigid for such a use as it might have to be if a
digital
signature were being used to validate the transfer of valuable property in
perpetuity.
Normally we think of nonrepudiation as being able to prove that someone did
indeed
write something, so that we can compel performance on a contract, etc., But it
is
just as important to be able to prove that someone else did NOT write
something, so
this is just the flip side of the same problem.
I will grant that in most cases a message announcing a snow day has a very
limited
information life, and that issues of revocation of certificates effecting
archived
documents often doesn't apply.
But Steve went on to say
The minimum infrastructure needed for this is
that the community of listeners needs the public key of the speaker.
It's helpful to have some sort of identifier associated with the
public key, but that does not mean that the identifier has to fit into
any sort of civil or legal naming system, nor that it be understood by
any third party.
I think this goes too far. The community of listeners needs to understand that
there
is a binding that exists between the holder of a private key which corresponds
to
the public key key published in the certificate, and unless they have a personal
relationship and have effected a secure exchange of the public key with that
person,
they have to know the name of the individual and at least some implied right or
authority if they are to give credibility to the statement.
True, this does not _have_ to fit into any particular civil or legal naming
structure. But how else would you propose identifying the person with any
reasonable amount of specificity? Spock(_at_)rsa(_dot_)com is really Steve
Dusse, and
Kent(_at_)bbn(_dot_)com is Steve Kent, not the mild-mannered Clark Kent, but
how do I know that
for sure? What if someone sends me an e-mail invitation to the White House, and
it
is digitally signed "Hillary Clinton
<98765(_dot_)4321(_at_)CompuServe(_dot_)COM>". For all I know
she might have a CompuServe account, and that might really be her. Maybe, but I
wouldn't dust off my tux without further confirmation. And if I need further
confirmation, why did I need a digital signature in the first place? The third
parties in this case are the listeners themselves, not a judge.
So _somebody_ needs to say that this particular Hillary Clinton is the first
lady,
and not some housewife that just happens to have the same name and a CompuServe
account.
Bob
Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
617/466-2820
Jueneman(_at_)GTE(_dot_)COM