Pete Collins wrote:
No, they say "we believe someone has paid us for this certificate (or
will do so in the near future)". For most browser CAs, there's no
strong identity check, and single weak CA breaks the whole scheme.
That is a breach in credibility by the CA and when that happens that
CA should be dropped from the browser.
Like I have stated, signed code is just a veneer, but a necessary
first step out of many that is needed.
You're all correct! The issue is that the semantics of
what the cert means are not nailed down anywhere.
So, depending on who you ask, you will get a different
answer. And, depending on how you ask the question,
you might be lucky enough to get a different answer
from the same authoritive person!
OpenPGP for example side steps this entire issue by
declining to address the question. So in that world
there are two distinct groups: those who believe that
sigs on keys should only be swapped when strong
id docs like passports are viewed (and some copy
down passport numbers...) and those who believe
that docs should *not* be used, and believe whatever
is said. So, yes, you can get a sig saying you are Bill
Gates.
Which is it for PKI? It's all of them, or none of them.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
