Christian D. Odhner writes:
what keeps people from [getting certified] keys with somebody else's name
The The relation between the preferred signature authority for the installation, and that installation. From the documentation:
Some companies authorized to issue approval files to their employees may require that you sign a printed request form and have it notarized by a notary public. (To create a printed request form, choose Print from the File menu.) Note: If you are going to use your Signer as an individual or in a small business, look for the insert that came with this package for instructions on using an outside approval authority.
Print your request and send it, with a copy of the Request file on disk if necessary, to your approval authority. See the insert that came with your package for details. Assuming that your request form has been completed properly, the approval authority will send back your Signer Approval file.
...which would seem to put the lie to (the general application of) my ealier statement:
[the key] can be mailed automagically to RSADSI
Which turns out to be true only for the 'low assurance' RSA Persona Certificate Authority (currently handing out certificates for free) which does no verification of the user<-->id link. CAs with more stringent policies have stronger prerequisites for the issuance of a certificate. Hope this helps, Scott Collins | "Few people realize what tremendous power there | is in one of these things." -- Willy Wonka ......................|................................................ BUSINESS. voice:408.862.0540 fax:974.6094 collins@newton.apple.com Apple Computer, Inc. 1 Infinite Loop, MS 301-2C Cupertino, CA 95014 ....................................................................... PERSONAL. voice/fax:408.257.1746 1024:669687 catalyst@netcom.com