On Thu, 30 Mar 2000, Thomas Reinke wrote:
> [EMAIL PROTECTED] wrote:
> > So it seems to me that while the cert may certify that said organization
> > is who they say they are - nobody seems to ask if who they say they are
> > has any relevance to anything.
>
> [snip]
>
> Look back to the problem it is solving
> a) SSL makes sure no-one can intercept communications meant to be
> private
> b) Certificates authenticate that the person is who they say they
> are.
??? This is not a statement of a problem. What is the problem that is
solved by these properties, and how does that relate to a problem that
someone actually wants to solve?
> Trust goes to trusting that second statement, not the trustworthiness
> of the company behind the statement.
If we don't trust the CA, why should we trust the cert.s that it issues?
What basis would we have for trusting A's certification that a certificate
asserting that it belogs to B was in fact issued to B, other than to trust
that A has diligently investigated the requestor's claims and met our
standards for establishing that that person is in fact B?
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
"Where's the kaboom? There was supposed to be an Earth-shattering kaboom!"
-- Marvin Martian, 01/01/2000 00:00:00
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]