-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stuart D. Gathman wrote: > "The CA assures the receiver that the certificate was issued to a > particular person (not necessarily a particular e-mail address)." > > In the case of cheap email certifications, the CA does *not* in fact > verify the person. They only verify that the email address given can > reply to a confirmation message. Of course, CAs can issue certificates > that verify the person, but these are more expensive. > (Except for http://www.cacert.org/ )
Right, I guess my description was a bit too idealistic. However, your original sentence... "The CA assures the receiver that the certificate was issued to a particular email address." ...isn't worth much if the "email address" part doesn't refer to the sender e-mail address in the message, which in fact it doesn't. That merely applies to the e-mail address in the certificate (if there is one in the cert in the first place), which is usually NOT checked against the message's sender address. (That's why I changed your wording.) So perhaps we should just delete that last sentence and be done with it. Deleted and done. Wayne Schlitt wrote: > CAs can't tell if a single spammer has registered many different certs > under many different aliases. CAs have a very hard time telling if a > single spammer is using many different real people as their aliases. > [...] > All certificates do is tell you that someone was able to sucessfully > have a cert paid for. Usually with a credit card. Not aways with > their own credit card. Mostly true, with one theoretical exception. Governments could issue digital certificates together with their regular ID documents, which would about guarantee identity, at least with trustworthy governments. (No, I would NOT accept the likely implications such as private key escrow just to achieve that kind of "absolute" authenticity.) > Certs have no more value for basing a reputation on than domain names. Which once more proves that hierarchical PKIs aren't really much better than anarchical webs of trust. Better to always explicitly define yourself whom you want to trust. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEdluHwL7PKlBZWjsRAgv6AJ9ZXdqA2JysmlQmfp4R6Hw3cnQXUwCffEDL 8LSTk5EDIo7DJrojgDaFmqk= =zePU -----END PGP SIGNATURE----- ------- To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/[EMAIL PROTECTED]
