On Fri, 21 Jul 2000, Anand Kumria wrote:
> On Wed, Jul 19, 2000 at 11:39:13AM +1000, Rev Simon Rumble wrote:
> > On Wed, Jul 19, 2000 at 12:03:15PM +1000, Jamie Honan uttered:
> >
> > > Its aim is to enable me to verify that I am who I say I am, thus
> > > requiring my 'profile' to be publically available?
> >
> > Your public key, yes. But in this scheme it appears that the ATO are
> > generating the keys. That means they can take a copy in escrow and
> > forge your signature. I don't like that.
[ not mentioned by Simon but equally important, data sent to you using
your public key could be decrypted by someone with knowledge of your
private key ]
>
> basically you don't have choice, the government wants all/most interactions
> to take place electronically. Are you sure that you are getting a Public/Private
>pair for encryption?
>From other posters, this appears to be the case.
(Although it needn't be. It could serve as an initial starting point
for authorisation, for you being able to send a new authorised public
key).
One thought: providing you with escrowed pairs could place a huge
liability on the escrow agency. Imagine the scenario:
* Agency issues pairs. Forwards and escrows private, publishes public.
* PKI body only accepts Agency issued public keys (because of escrow of
private keys)
* System becomes hugely popular, cornerstone of modern economy
* Private keys 'leak' from issuing agency
* Commercial, personal and other damage done, possibly on a vast scale
Maybe the government is considering legislation to limit the
escrow agencies liability ?
Sorry to do this topic to death. It really is OT for Linux.
Jamie
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
