On Sat, 26 May 2007, Allen wrote: > Validating a digital signature requires getting the public key from > some source, like a CA, or a publicly accessible database and > decrypting the signature to validate that the private key associated > with the public key created the digital signature, or "open message."
Yep. > Which lead me to the thought of trust in the repository for the > public key. Here in the USA, there is a long history of behind the > scenes "cooperation" by various large companies with the forces of > the law, like the wiretap in the A&TT wire room, etc. > > What is to prevent this from happening at a CA and it not being > known for a lengthy period of time? Jurors have been suborned for > political reasons, why not CAs? Would you, could you trust a CA > based in a country with a low ethics standard or a low regard for > human rights? The CA certifies that X is your public key. It doesn't know what your private key is. If the CA starts handing out false public keys - which is the worst that it could do, right? - it will find itself instantly distrusted. Everybody in the world will be able to see that the CA used its private key to sign a false statement. The offended party need only put the false declaration up on the Web. -- Jim Dixon [EMAIL PROTECTED] cellphone 415 / 570 3608 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
