Re: Lie in X.BlaBla...
On Fri, Jun 01, 2001 at 09:43:50AM -0700, Greg Broiles wrote: At 09:58 AM 6/1/2001 +0800, Enzo Michelangeli wrote: At 07:22 AM 5/31/2001 +0800, Enzo Michelangeli wrote: Besides, it would be idiotic to grant access to information or authorization for a transaction to someone, just because he or she has presented a public key certificate: authentication protocols require possession of the private key. Those legislators just don't know what they are talking about. Scary. The statute didn't say just because or describe a technical architecture for an access control system - it criminalized the presentation of a certificate without owning the corresponding private key. Uhm... So, which devious use of someone else's certificate were those guys trying to address? Also a bona fide certificate server could fall afoul of such law. They were trying to address any fraudulent (not devious) use of a certificate to gain access or information, without regard to the technical details. I'm not a lawyer but I read it the way Greg does. Intent is required, so simply sending a cert that's part of a chain and which you don't hold the corresponding private key for, or acting as a directory, isn't illegal. But I'd bet that some enterprising DA, given a case where someone sends four certs in a chain and got the EE cert by fraudulent means, will charge them with four counts of violating this law. Eric - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lie in X.BlaBla...
there may be a slightly different issue ... at least, with regard to one of early projected applications for certificates which was consumer identity in retail financial transactions. At least EU has talked about making retail transactions as anonymous as cash ... which sort of rules out using consumer identity certificates in such an environment (i.e. while consumer identity certificates in retail transactions wouldn't be fraud ... requiring them would appear to be in violation of privacy guidelines regulations). a stop-gap solution in europe as been relying-party-only certificates however, it is trivially shown that appending relying-party-only certificates to an account-based transaction is redundant and superfulous (i.e. not illegal just not KISS). random refs: http://www.garlic.com/~lynn/2001f.html#31 http://www.garlic.com/~lynn/aadsm5.htm#asrn2 http://www.garlic.com/~lynn/aadsm5.htm#asrn3 http://www.garlic.com/~lynn/subtopic.html#privacy Greg Broiles [EMAIL PROTECTED]@wasabisystems.com on 06/03/2001 11:00:31 AM Sent by: [EMAIL PROTECTED] To: [EMAIL PROTECTED], Enzo Michelangeli [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject: Re: Lie in X.BlaBla... I don't think the new law is necessary - it's basically a retread of existing fraud and computer misuse statutes - but I don't think it criminalizes anything that wasn't criminal before. I haven't spent a lot of time crawling through Washington's criminal code - nor criminal courts, where the rubber meets the road - so I don't know if the felony status for this is new, or meaningful, or exemplary - it sounds like overkill, to my ears, but so does much of what comes out of our federal and state legislatures so I've stopped thinking that's remarkable. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]