On Tue, 23 May 2000, Mocha wrote:
>
> who verifies that the CA is who they say they are? is there a governing
> agency that over look all the CA's?
>
Ah. I think you have hit upon a question that should be asked more often.
Since the root cert is self-signed, there is no inherent way to verify
that certificate. You must have some out-of-band way to verify that
certificate and decide that you trust the CA that the certificate
represents. This is what hierarchical PKI's are based upon: that you
TRUST the root CA.
In the example of Netscape and IE browsers, out of the box you are given a
list of root certs. So really Netscape and Microsoft have chosen whom you
trust for you. Admittedly it is convenient to have this Trust List: it
saves you the trouble of retrieving the the root certs, and saves you the
knotty problem of examining each CA's policies and procedures to determine
for yourself whether you should trust them.
But should you trust them? That question has not really been answered--
in fact you have not even been asked that question.
As far as I know there is no independent body which sanctions or verifies
CA's. And it is probably not in the interest of the current commercial
CA's to have one.
> >It is not that you are paying for them to say that you are who you are.
> >It is that you are paying for them to *assure* others that they have gone
> >to the appropriate lengths to verify that you are who you say you are.
>
> i think if the certificates are issued based on the information sent in by
> a company or individual, the certificate may be secure, however, the source
> of information could be faked. so that brings back the question of how can
> they assure others that a person or company is really who they say they are?
>
Well, if you have ever gotten a cert from a CA (e.g. an SSL site
certificate), then you would know that you need to go through several
documentation and verification steps: which usually amounts to providing
signed and notarized original documents of your organizational or company
name, some verification that you own the domain name, etc. This is the
labor-intensive procedure that you are paying for. No, it isn't
bullet-proof. I assume certs of higher importance have more stringent
verification methods.
But of course you can't (shouldn't) just assume that every CA does the job
well. Which brings me back to my first point: Most people that use SSL in
Netscape and IE overlook the question of whether they should be trusting
the CA to verify identities for the certs that the CA has signed.
But trusting those root certs may just be the price of convenience.
Imagine going through the list of Certs in your browser, verifiying the
keys held therein using an out-of-band method, examining the policies and
procedures of the issuing CA, deciding whether you trust them, culling
the list based on your findings...
[ For simplicity, my discussion doesn't really address the notion that you
can have levels of trust in a CA or the CA's cert hierarchies. You may
decide to trust a CA for verifying that the love letter you got was really
from a secret admirer. Or you may trust a CA to verify that the
downpayment you just made on your house is really going to your loan
institution ]
Hey, maybe we DO need a sanctioning body, but then how do you decide to
trust them? And how do you get the existing CA's to play ball?
yuji
----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
