On 11/15/2008 05:18 PM, Ian G:
Eddy Nigg wrote:
On 11/12/2008 05:21 PM, Ian G:
Not sure why, but your posting arrived just only now...
What is clear is that the name is not really the essence of the process,
it is just one part. So if we are claiming the full essence of getting
people to court, we need to do other things;
We'd rather prefer to remain out of court, but that's the ultimate
option. The fact that identification details are listed in a certificate
usually is a prevention measure itself.
if we are just doing the
Name, we should avoid talking about the courts purpose unless we can
point to the other things as well, and show how it fits in.
But not only the name is validated usually, but address, locality as
well. The street address is many times not listed for non-EV certs, but
it would by court order possible to be disclosed.
You can, sure. But would you? Would you dare to masquerade as another
person, and do some harm?
It's not about me, but anybody who dares. Many do as your own junk
folder can provide evidence of. It's the easiest thing in order to
perform fraud.
Let's say you do that, and then the summons
arrives to your email address. You see the summons. What are you going
to do?
LOL! That's really naive thinking! Do you really believe that somebody
disguising his identity will bluntly use his own real IP address. :-)
Do you dare defy the court and not present yourself? If you do that,
then you are toast. If they (a claimant and a real bill gates) come
looking for you and find you, then not only have you committed a species
of deception, you've tried to ignore the courts. Not only is your case
compromised, but you've probably committed something against the court.
The problem is, nobody will ever know that it was me...
Instead, because you are a wiser person than that, you will simply
appear before the court, and say, "It is I, using that nym, but my real
name is Bob Smith." And the court will proceed to hear the case. At
least in english common law, it is OK to use any name you like, as long
as it isn't for fraudulent purposes.
Or if there aren't such intentions in first place use a validated
digital certificate. These days an unsigned mail should be always
consumed with a grain of salt...
If a claim is made by CAs that the Name is needed to pursue someone in
the courts, this is more or less deceptive.
Ha? Can you explain that? Here some example details strait from a
certificate:
E = [EMAIL PROTECTED]
CN = Eddy Nigg
L = Eilat
ST = South
C = IL
What's deceptive here? Additionally the CA has more information about
the subject such as the address and phone number.
If we accept that (and we are in a security market, regulated by audits
and/or vendors) then we should stop making that claim.
There is no claim to stop! The quality of the verification performed may
vary, but as a general rule, a verified certificate is sufficient to
reach the person in question (by court order or else). Of course a crook
may change address, but courts and law enforcement officials have their
tools to locate somebody sooner or later. Provided that the persona in
question is identified correctly.
OK. So the principle is that everyone may make their own risk
assessments, whether private or corporate. We may freely decide to
allocate our resources and make our decisions.
As I said, resources which are truly under my control, I may require a
verified identity too! I didn't meant a browser here, but rather other
resources, like a web site or mail server.
It would also mean that a vendor was free to experiment and choose
different security models c.f. Gerv's much lamented yellow bar and
Jonathon's 4-click process.
Isn't that what happened really? Not seeing your point.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
