On Thursday 25 May 2006 21:36, Julian Mehnle wrote: > Wayne Schlitt wrote: > > CAs can't tell if a single spammer has registered many different certs > > under many different aliases. CAs have a very hard time telling if a > > single spammer is using many different real people as their aliases. > > [...] > > All certificates do is tell you that someone was able to sucessfully > > have a cert paid for. Usually with a credit card. Not aways with > > their own credit card. > > Mostly true, with one theoretical exception. Governments could issue > digital certificates together with their regular ID documents, which would > about guarantee identity, at least with trustworthy governments. (No, I > would NOT accept the likely implications such as private key escrow just > to achieve that kind of "absolute" authenticity.) > > > Certs have no more value for basing a reputation on than domain names. > > Which once more proves that hierarchical PKIs aren't really much better > than anarchical webs of trust. Better to always explicitly define > yourself whom you want to trust. > I don't know if they are better or worse, but they can certainly be more painful.
Actually the US Department of Defense has set up it's own separate PKI hierarchy. I needed one of their certs for some of the work I do. I had to show the same level of documentation, in person, that I would need for a passport. I understand that starting 1 June, at least some parts of DoD are going to start rejecting any e-mail that is not S/MIME signed. We'll see. While a cert itself might not be useful for reputation, I can see developing a reputation system at the CA Cert level. Some CAs will be more restrictive than others. If a message is signed by a cert issued from a reputable CA, then that might mean something. Scott K P.S. Trying to get a non-standard CA root cert to be trusted in Kmail turned out to be a really fun exercise in frustration and googling. ------- To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/[EMAIL PROTECTED]
