--- "James A. Donald" <[EMAIL PROTECTED]> wrote: > -- > On 11 Jun 2003 at 20:07, Steven M. Bellovin wrote: > > Let me point folk at http://www.securityfocus.com/news/5654 > > for a related issue. To put it very briefly, *real* > > authentication is hard. > > I don't think so. > > Verisign's authentication is notoriously worthless and full of > holes, yet very few attacks have been based on getting > certificates issued to wrong party, or on stealing poorly > defended and readily accessible certificates, even though that > is quite easy to do.
On the whole PKI as used today is fairly useless. I mean just because Company A signed/issued me a key doesn't mean I'm a nice guy nor a legit business. All it means is I paid money to have another company sign my key. What *would* be more useful is a model of web-o-trust. E.g. you make up your own key. Then you import public keys from third-party auditors you trust. Overtime the auditors will visit the business and if they like it they will sign the key. So say you trust auditors A, B and C and I trust auditors B, C and D. Well chances are if company Z is good the will be audited by at least one of the auditors we have in common. Unfortunately there is easy corruption in this model so you would have to keep tabs on your auditor yourself. However, in this model it wouldn't cost money [hey everything net-related should cost money right?] and would actually be meaningful. Tom __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
