On 26/09/11 20:28 PM, StealthMonger wrote:
Drill Grandma on one thing:...REMEMBER THE KEY ID.
Actually, this is not only a reasonably interesting idea, it's part of the PKI model. If Grandma gets defrauded by a false cert, and wants some remedy, she has to identify who it was. Typically this would mean keeping the cert (or KeyID) and presenting it to the CA.
Without being able to present these details, the CA won't even know if it is their cert that is at fault. It could be a cert from their worst enemy CA in another country. Or it could be a made up cert with no crypto data in it and the browser is buggy... Or maybe grandmama is lying...
if you have a good CA, it's written in the CPS somewhere ... for what it is worth:
" *Keeping Records.* Records should be kept, appropriate to the import of the decision. The certificate should be preserved. This should include sufficient evidence to establish who the parties are (especially, the certificate relied upon), to establish the transaction in question, and to establish the wider agreement that defines the act. "
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
