An interesting "direct demonstration" of this would be to get a certificate generated for a well-known company, institution, or political candidate. This would demonstrate the flaws in the e-mai/fax/snailmail process like nothing else.
That wasn't quite the point. If I submitted a key and paperwork for the key claiming to be Jim Bidzos, and they gave me a cert for that, that wasn't my point. My point was simply the technical linking of the paperwork and the key. I figured that a relatively easy way to fix that would be to require an MD5 of the key included with the faxed paperwork. It has been mentioned to me though that an MITM would be noticed once verisign sent me back a signed cert and it didn't work with my key.
(Tangential note: Of course, my fear is always that exposing such flaws shows that "we need a national identity system." After all, what Sameer is describing is implicit in the fact that neither e-mail, nor a fax, nor snail mail, is proof that an entity exists, or that the paperwork represents the entity. That's a tough nut to crack, absent an "is-a-person" or "is-an-institution" credentialling system.)
--Tim May
Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."
-- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org