On Fri, 1 Nov 2002, Xperex Tim wrote: > I don't really see the value of free certificates. If they are free > that means that the CA can't be doing any identity checks. So any > schmoe can get a certificate with your name on it and claim to be you.
I agree that such cert.s are essentially anonymous. They are worthless for identifying *persons*. They can be useful for identifying an email account (if that is of any use) and they are quite useful for initializing secure channels. I would be willing to accept evidence of possession of such a cert. as proof of identity *if* I had verified that binding by other means. I would be willing to accept the integrity of an SSL session initialized by the use of such a cert. even though I might require further proof that the session's payload was true at the point of origin. The underlying point here is that evidence of possession of a given certificate can be used to verify a wide variety of things, but each type of identity requires a different kind of investigation before a binding can be trusted. "I am the person who sent you the previous packet" is an entirely different assertion from "I am the person whom you met in Chicago on date D" or "I am the person X named in Y's will". -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] MS Windows *is* user-friendly, but only for certain values of "user". ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]