Ian G wrote: > Chris Palmer wrote: >> Peter Saint-Andre writes: >> >>> http://www.saint-andre.com/blog/2006-02.html#2006-02-27T22:13 >> >> 3. I see on your site you use and advertise for CACert. I hope CACert's >> signing cert(s) are never trusted by my browser, because then my browser >> would trust any cheap-ass random pseudonym in the world.
IMHO trust is something you do, not something your browser does. Unless you're going to delegate trust to the browser manufacturers... >> Which brings us >> to my next point... > > You are probably talking about the Class 1 root > that CAcert uses to issue pseudonymous certs. > Yes, they can be acquired by any cheap-ass > psuedonym (but not randomly, as I think there is > a serial number in there which I was told was > an unavoidable artifact of x.509). > > Over on Peter's blog it seems to indicate he is > an Assurer ... assuming that is correct [it isn't > a cryptographically sound image :) ] then this > means he is at least "assured" which is their > term for his identity having been verified. In CAcert, assurance is an action. You show me two government-issued photo IDs (GIPIDs) and I compare them with your visage and physical person; if I think they match, I "assure" you for some number of points in the web of trust. If you get to a certain number of points, you can use the Class 3 root. If you get even more points, you can become an assurer (someone who does assurances). I happened to use the "trusted third party" process for assurance (get copies of my GIPIDs witnessed and notarized by two persons who are legally authorized in my jurisdiction to witness and notarize documents), which results in more points initially and the ability to become an assurer more quickly. Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml
Description: S/MIME Cryptographic Signature