Arshad Noor wrote:
> While third-party verification is not the real issue, the issue
> is: can the third-party itself be trusted?  Who remembers the
> Verisign debacle from a few years ago with the Class-3 digital
> certificates issued through a social engineering attack, in the
> name of Microsoft?

there is actually several separate issues, some of which are

* who is doing certification
* what process are they using for certification
* are they willing to accept liability associated with their
* how is the certification represented

using a taxonomy that clearly delineates the difference between
certification of information from using digital certificates for
representing that certification process ... somewhat shows up some of
the fallicy of self-signed digital certificates .... part of this is
sometimes people seem to be confusing the existance of a digital
certificate as having some magical certification quality all by itself
... rather than as a representation of some certification process.

PKIs and digital certificates are a business process to address the
letters of credit paradigm from the sailing ship days for offline
certification representation ... i.e. the relying party has no
mechanism for doing real-time and/or online checking the validity of
the information. furthremore, current generation of certification
authorities have tended to be independent 3rd parties who are checking
with various authoritative agencies as to the validitity of some
information and then issuing certificates that represent that such a
checking process has been done. they typically haven't been the
authoritative agency actually responsible for the verified information.

as the online world with the internet becoming more pervasive ... some
of the authoritative agencies actually responsible for various kinds of
information being verified have looked at providing online, real-time
verification services associated with the information in question
(as opposed to the stale, static certificate model that was designed to
meet the needs of relying parties that had no direct way of actually
contacting the authoritative agency for directly verifying the

to some extent, as the online, internet world has become more pervasive
... the target offline market for digital certificates has shrunk and
there has been some migration to the no-value market segment. rather
than the relying party being unable to directly contact the
authoritative agency responsible for the information, the no-value
market has the relying party doing operations where there is
insufficient value justification for directly contacting the
authoritative agency (aka no-value operations). even this market
segment is shrinking as the internet is not only providing pervasive
world-wide online connectivity but also drastically reducing the cost
of that online connectivity world-wide.

a couple related posts on the subject: P2P Authentication Some thoughts on
high-assurance certificates Some thoughts on
high-assurance certificates

misc. collected past posts on ssl domain name server certificates

misc. collected past posts on certification enviornments that can be
done w/o requiring digital certificates for representing that

mozilla-crypto mailing list

Reply via email to