Ed Gerck wrote:
Also, in an effort to make their certs more valuable, CAs have made
signed messages imply too much -- much more than they warrant or can
There are now all sorts of legal implications tied to PKI signatures, in
largely exagerated and casuistic.
as discussed in numerous non-repudiation posts, dual-use threat posts,
and posts about human signatures .... where the human signature implies
that the person has read, understood, authorizes, approves, and/or
agrees with what is read and understood .,...
the validation of a digital signature with a public key implies that the
message hasn't been altered since transmission and there is "something
you have" authentication (the originator has access and use of the
corresponding private key). the simple validation of a digital signature
doesn't carry with it any of the sense of a human signature and/or
in most business scenarios ... the relying party has previous knowledge
and contact with the entity that they are dealing with (making the
introduction of PKI digital certificates redundant and superfluous).
Furthermore, x.509 identity certificates possibly horribly overloaded
with personal information would reprensent significant privacy issues.
i've claimed that in the aads effort
not having to be pre-occupied with trying to interest relying parties in
digital certificates containing information they already had .... we
were more free to concentrate on general threat, risk and vulnerability
analysis. for instance, one of the things that a relying party might be
really interested in is the integrity of the environment housing a
subject's private key (is it in a software file or a hardware token, if
a hardware token, what are the characteristics of the hardware token,
etc) and the integrity of the environment in which a digital signature
one possible scenario is that CAs wanted to convince relying parties in
the value of the certificates and not distract them with fundamental
business integrity issues ... which might have resulted in businesses
diverting money to fundamental business integrity items ... rather than
spending on redundant and superfluous digital certificates likely
containing information that they already had (i.e. having digital
certificates would result in magical fu-fu dust being sprinkled over the
rest of the infrastructure automagically precluding any such integrity
problems?). furthermore they could spread semantic confusion ... somehow
implying that because the term "digital signature" contained the word
"signature" ... it was somehow related to a human signature.
lots of collected past postings related to fraud, exploits.
some number of posts on account number harvesting
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]