[EMAIL PROTECTED] wrote: > One can look at this in more general terms. For validation to mean > anything, > > what's validated has to be the semantically meaningful data - not some > incidental aspect of the transaction. The SSL model was based on the > assumption that the URL was semantically meaningful, and further that any > other semantically meaningful data was irreversibly bound to it, so that if > the URL were valid, anything you read using that URL could also be assumed > to be equally valid.
note that the other possible semantic confusion is referring to them as certificate authorities ... rather than certification authorities. they happen to distribute certificates which are a representation of the certication. however, there are some number of the certification authorities that 1) aren't the actual authoritative agency for the information being certified i.e. the certification authority is just checking with the real authoritative agency as to the validity of the information 2) many appear to actually prefer to just do "certificate manufactoring" ... a term we coined when we were doing audits of these new organizations called certification authorities ... back when we were consulting with the new client/server startup on something that has come to be called electronic commerce. of course the issue has always been that if you can do real-time, online certification it has no lower value than a stale, static, offline-oriented certificate. the business model tends to be further aggrevated by the fact that most of the certification authorities aren't actually the authoritative agency for the information being certified. it is highly likely that as online connectivity becomes more and more pervasive ... that people will start to realize the much higher value of having real-time, online certification. Since the majority of the certification authorities aren't actually the authoritative agency for the actual information, then any transition to high-value, real-time, online certification will tend to be done directly with the authoritative agency responsible for the actual informmation. at that point, most of the certification authorities become obsolete. an obfuscation is to concentrate on the certificates as having magical properties, distinct from their representation of an information certifying business process. referring to them as certificate authorities helps create semantic confusing as to where the business process value actual exists. similarly there have articles in the popular press referring to attached digital crrtificates as what provides the value to any digitally signed message/document ... further obfuscating the the value of authentication can be done with digital signatures with online registered public keys (where any digital certificates become totally redundant and superfluous). the other problem/issue with requiring x.509 identity certificates on every digitally signed message/document .... is that it turns what should be straight-forward, simple authentication operation into a heavy duty identification operation. this has also tended to cause semantic confusion as well as something of a schizo personality in some societies; especially those professing extremely stringent privacy principles and at the same time trying to mandate x.509 identity certificates attached to every electronic communication (making every electronic message an identification operation). misc. past posts referring to semantic confusion: http://www.garlic.com/~lynn/aadsm3.htm#kiss5 Common misconceptions, was Re: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACTION :draft-ietf-pkix-scvp- 00.txt)) http://www.garlic.com/~lynn/aepay11.htm#53 Authentication white paper http://www.garlic.com/~lynn/aadsm12.htm#30 Employee Certificates - Security Issues http://www.garlic.com/~lynn/aadsm13.htm#16 A challenge http://www.garlic.com/~lynn/aadsm15.htm#36 VS: On-line signature standards http://www.garlic.com/~lynn/aadsm19.htm#7 JIE - Contracts in Cyberspace http://www.garlic.com/~lynn/aadsm19.htm#24 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#25 Digital signatures have a big problem with meaning http://www.garlic.com/~lynn/aadsm20.htm#8 UK EU presidency aims for Europe-wide biometric ID card http://www.garlic.com/~lynn/aadsm20.htm#44 Another entry in the internet security hall of shame http://www.garlic.com/~lynn/aadsm21.htm#13 Contactless payments and the security challenges http://www.garlic.com/~lynn/2003k.html#6 Security models http://www.garlic.com/~lynn/2004i.html#27 New Method for Authenticated Public Key Exchange without Digital Certificates http://www.garlic.com/~lynn/2005f.html#20 Some questions on smart cards (Software licensing using smart cards) http://www.garlic.com/~lynn/2005m.html#11 Question about authentication protocols http://www.garlic.com/~lynn/2005n.html#51 IPSEC and user vs machine authentication http://www.garlic.com/~lynn/2005o.html#42 Catch22. If you cannot legally be forced to sign a document etc - Tax Declaration etc etc etc http://www.garlic.com/~lynn/2005q.html#4 winscape? http://www.garlic.com/~lynn/2005r.html#54 NEW USA FFIES Guidance --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]