Seriously, I can confirm that the 2 certs will work.
Duh :-(((
Thanks for the clarification.
And under the PKI model, that's perfectly valid.
OK, then I claim that the PKI model is inherently flawed (probably intentionally) and not suitable to protect email between private persons where *nobody* else is supposed to listen. It is appropriate when only money matters and serious corporate espionage is not a factor.
That allows you to choose any CA you trust that will verify you to get your cert, as opposed to having that choice made for you.
With my proposal, you'd still have the choice (even the choice to use no CA), but once made, you'd be *bound* to that choice as long as you want your trust relationships to be valid. Makes sense to me. (Actually, even that could be solved with software support, see below.)
IETF...people are actually working on protocols to make that determination
Do you know any protocol names offhand?
To give you a concrete example, when I worked at Netscape I had a cert with my business e-mail address from the corporate CA. I also had a second cert with my business e-mail address from Thawte. I used the former to login to internal corporate sites with client auth, and the later in my signed e-mails.
That would be fine, as each party would know you only by one cert, ever.
It gets critical when you *change* the cert towards one party. E.g. you wrote an email to me yesterday with the AOL cert, but today using the Thawte cert. I *should* get a bold warning from Mozilla about that, just like SSH does. I'd have to re-validate you, which is hard and people wouldn't do in practice, unless there's an automatic way to do it, e.g. by you sending the new cert to all your contacts, that mail signed with the old cert, and the client automatically detects that and chains the 2 certificates (in that direction only).
For e-mail, things were different. ... Unless they specifically checked the certs in my valid e-mail signatures, my correspondents could not tell which cert I was using.
That's exactly the security problem. If I can coerce any root CA to give me a cert for your email address, you lost.
Actually, that probably wouldn't even be that hard, I don't need to be a government for that, I'd only need to be able to listen to (and maybe intercept) your mailbox (that's exactly the problem that crypto tries to solve, right?), in that case I could apply for a Class 1 certificate (only validates email mailbox) from any CA, catch and respond to the verification mail to your mailbox, and then use that new certificate to pose as you in email towards your correspondants. Given what you said, they wouldn't notice the certificate change, answer me encrypted with the new key, I would catch the email from your mailbox again, decrypt it using my fake cert and be done. Attack successful.
If I can pull the same attack against your recipients, I could play the man in the middle, unnoticed unless someone looks very closely at the cert (and *maybe* the received headers).
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
