Hi, Oscar ...
On Wed, 13 Dec 2000, Oscar Jacobsson wrote:
> Alexander 'Alfe' Fetke wrote:
> > I am not looking for a long-time service but just for a single act of
> > service: The CA shall have a close look at us to be sure that we are who
> > we claim to be and then issue a certificate which states that -- nothing
> > more :-}
> >
> > Is no commercial CA capable and willing to offer such a service?
>
> I would rather doubt it, I'm afraid, since what you would effectively be
> receiving, if you by 'commercial CA' mean 'a CA trusted by current web
> browser implementations', would be your very own CA certificate capable
> of issuing certificates which would then in turn also be trusted by the
> current crop of web browsers/relying parties.
>
> So looking at this from a purely business-centric view, you are looking
> for a commercial CA to sell you the tools required for you to go into
> head-to-head competition with them, and at a conveniently fixed one-time
> price at that. :-)
this seems to me that we have a logical problem here right now. if a
commercial CA gives me a certificate with which i can prove that i am who
i claim to be, it doesn't automatically mean that i always tell the truth.
it just proves my identity. (or my authenticity, but let's ignore the
difference between those for a moment.)
now, if i issued a certificate for John Doe, using my purchased
certificate for this, then i would certify for John Doe that he is who he
claims to be. but i could still be lying. and i could also simply be
wrong because i made a mistake when i checked John Doe's identity.
so, why should someone trust the certificates i issued? a receiver of
such a certificate i issued for John Doe could just say: Trusting the
commercial CA Alfe used, I can be sure that _Alfe_ claims that the person
I talk to right now is John Doe.
technically speaking, you are right. A typical browser today trusts a
certificate already if it trusts one link in its chain down to its root.
but just because a commercial CA sells me something, my social reputation
doesn't rise, so why do browsers this? (if they do at all, i do not know
all browsers.)
another point of view: if i bought a certificate for sending emails, i
could hand out a signed document in which i stated that John Doe be really
that John Doe and that he owns that particular public key. This document
would logically be a complete certificate. one couldn't even call it an
abuse of my certificate, since it was bought for making statements
(sending emails). the only difference to `proper' certificates would be
the ability of applications to read and interprete it automatically. but
that is just a question of the intelligence of those applications.
> Plus, none of the current browsers, IIRC, have working revocation
> mechanisms in place anyway, so I know I would personally be *very*
> wary of trusting any authority using such certification practices.
this and the above makes me think that up to now the infrastructure is not
cleared up at all ...
Alfe
-- / _|__ __ __ __| __ __ SECURE INTERNET TECHNOLOGIES
`/ | ( __) / | | | | ) /__\ http://www.xtradyne.com
/ \ | | (__| \._| (__| | | \._, Alexander Fetke, Developer
' Technologies AG --' [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
