I expect this problem can usually be handled without formal CAs. If you publish your PGP key fingerprint in your advertising and make the key available on your web page, then your users have a way of independently verifying your key. As the finger print appears in more and more places (letterhead, product packaging, etc.), it is less and less likely that your attacker can reach them all to modify them. The important thing is diverse paths. If you include your key in the package with the product and print the fingerprint on the outside, it becomes relatively easier for your attacker to replace the whole thing as part of an attack. At 11:33 AM 7/13/96 -0400, Michael Froomkin wrote:
This illustrates the need for and role of certification authorities.
See http://www.law.miami.edu/~froomkin/articles/trusted.htm for some info.
On Sat, 13 Jul 1996, Lyal Collins wrote:
This touches upon a favourite rant of mine. [...] So, now you need to ensure that you can get your public key (to verify the digital signature with) in the hands of all your possible, or intended, recipients.
Now the race is on for as many people as possible to generate PGP public keys/certificates bearing your name, or variations of it. Once that occurs, there is a fair chance that one of these keys will verfiy the digital signature on a piece of software purportedly from you. Still, not many people will have your true PGP public key/certificate, but, them's the breaks.
------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz@netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA