At 10:23 AM -0700 10/18/2000, Ed Gerck wrote:
"Arnold G. Reinhold" wrote:
At 11:21 AM -0700 10/17/2000, Ed Gerck wrote:
As Tony Bartoletti wrote, apologies for what seems a rant, but the "solid mathematical foundations" underlying digital signatures, "Qualified Certificates", unmistakable IDs, biometrics and so forth create in me a degree of "psychic and social backlash" as well.
As well it should. There is a big difference between "can we do it?" and "should we do it?"
One other point, and let me shift to upper case for this one: THERE ARE NO "SOLID MATHEMATICAL FOUNDATIONS" FOR ANY OF THIS STUFF!!!!! THE DIFFICULTY OF BREAKING PUBLIC KEY SYSTEMS HAS NEVER BEEN PROVEN MATHEMATICALLY.
Yes, that is why Tony's remark was somewhat tongue-in-cheek and used "solid mathematical foundations" within quotes.
Eye twinkle doesn't come across in e-mail, I'm afraid. My apologies to Tony. This is obviously one of my hot buttons.
It is all hypothesis and empirical argument. A lone mathematician working in his attic could come up with an algorithm that would blow some or all of the existing systems out of the water. Who get to cover that financial risk?
The buyer. CAs (read Verisign's CPS or any CA's CPS, or bank contracts and -- above all -- see the US UCC) are not responsible for producing correct results but just for using correct methods. Where "correct methods" are what others consider correct -- even if they are proved wrong later on by a one mathematician working in his attic.
I'm not sure those contracts would stand up in court if there were massive public losses due to a collapse of the PKI. (Anyway CA CPS's stretch to notion of a "mutual agreement" pretty far. I purchase a $10 cert and am bound by over 100 pages of gobbldygook that only a handful of people on the planet can be expected to fully understand?) But I am less concerned with CA legal liability then with who is left holding the bag when a massive subversion of the banking system is perpetrated, and how big that could be. Arnold Reinhold