Bill Michaelson wrote:
> I've long believed that acceptance of liability by CA's is what would truly
> make certificates meaningful in a practical sense. I'd rather have a
> certificate with (fidelity?) insurance from Lloyd's or Citigroup than
> what Verisign offers, and it's really what irks me about the cost.
Consider that VeriSign arbitrarily and without warning cancelled all Class 2
Individual certificates earlier this year. This may have been in response to
active or pending litigation, or merely their attorneys' assessment of their
exposure.
Certificates will be practical when: there is strong assurance that the
binding between the public key and identity is correct and verifiable; there
are CAs and RAs which implement OCSP to verify whether a cert is currently
valid (CRLs and delta-CRLs are ridiculous); when the legal issues are
tested in the courts (see the ridiculous discussion on the meaning of
non-repudiation on the IETF PKIX mailing list). There are many problems
with certs and PKI that are subtle and non-technical (except to lawyers).
What liability would you have a CA assume? The current web model, with
a half-authenticated connection, places all the risk on the service provider,
including financial risk of credit fraud, etc. (it's a mail order transaction).
It seems to me that the CA is merely a notary service, attesting that (at
the time of issuance) the signed portion of the cert was verified.
--
QUI ME AMET, CANEM MEUM ETIAM AMET
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
