--- "James A. Donald" <[EMAIL PROTECTED]> wrote:
>     --
> On 11 Jun 2003 at 20:07, Steven M. Bellovin wrote:
> > Let me point folk at http://www.securityfocus.com/news/5654 
> > for a related issue.  To put it very briefly, *real*
> > authentication is hard.
> I don't think so.
> Verisign's authentication is notoriously worthless and full of
> holes, yet very few attacks have been based on getting
> certificates issued to wrong party, or on stealing poorly
> defended and readily accessible certificates, even though that
> is quite easy to do.

On the whole PKI as used today is fairly useless.  I mean just because
Company A signed/issued me a key doesn't mean I'm a nice guy nor a
legit business.  All it means is I paid money to have another company
sign my key.

What *would* be more useful is a model of web-o-trust.  E.g. you make
up your own key.  Then you import public keys from third-party auditors
you trust.  Overtime the auditors will visit the business and if they
like it they will sign the key. 

So say you trust auditors A, B and C and I trust auditors B, C and D. 
Well chances are if company Z is good the will be audited by at least
one of the auditors we have in common.  

Unfortunately there is easy corruption in this model so you would have
to keep tabs on your auditor yourself.   However, in this model it
wouldn't cost money [hey everything net-related should cost money
right?] and would actually be meaningful.


Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to