a little more clarification for electronic signature taxonomy * authentication - something you have - somehting you know - something you are * non-repudiation * demonstrate intent and/or agreement The typical, traditional use of certificates are to indiscriminately broadcast them at the slightest propogation. As a result, there can be hundreds or thousands of copies of a particular certificate floating around the world. Digital signatures as part of a authentication business process is looking for being able to uniquely infer * something you have * something you know * something you are now, if I have a hardware token that contains a private key and performs digital signatures .... and the hardware token can be certified as containing a unique private key and highly resistant to allowing a duplicate of that private key to be copied .... then when a digital signature is performed, then one might infer that it is in the possession of the individual owning the hardware token. From the appilcation of a digital signature, one might infer that it is in the possession of the token owner and therefor infer one-factor authentication "something you have". The possession of a digital certificate doesn't carry the same weight, since it has been established that there are possibly thousands of copies floating around the world .... so it can't be the basis of one-factor, something you have authentication. Futhermore, if the hardware token is also certified to work in a specific way when a PIN is supplied, then it might be plausable to infer two-factor authentication when such a hardware token performs a digital signature, aka two-factor authentication; something you have (the hardware token) and something you know (the PIN for the hardware token). As a side-note, such a PIN is not a shared-secret since it need not be divulged to any other entities (than the token owner). The PIN and token may be assumed to be unique as the basis for establishing two-factor authentication; something you have and something you know. The possession of a digital certificate doesn't carry the same weight, since it has been established that there are possibly thousands of copies floating around the world ... so it the contents of a digital certificate can't be the basis of two-factor, something you have and something you know, authentication. Similarly, the existance and/or possession of a certificate also doesn't infer something you are authentication. The assertion is that certificates are part of support of an offline paradigm, providing stale, static copies of information for trust propogation. -- Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm
