From: IN%"shamrock@netcom.com" 9-MAY-1996 23:02:01.67
At 19:37 5/9/96, E. ALLEN SMITH wrote:
I can see some fascinating legal questions with what, exactly, a VeriSign certificate obligates the company for. Digital signature laws should get interesting - any application of this to the Utah one?
VeriSign is going to offer four levels of certs. The first requires only uniqueness. For the other three levels, VeriSign will require more and better assurances of the correctness of True Name stated on the cert. I don't know what form these assurances are supposed to take.
The first level, in other words, is less of a certification than a PGP key with self-signature and signature from one other person. It doesn't have _any_ effort to verify that the email address stated on it is the actual email address of that nym. Or am I misinterpreting you? -Allen
They claim to make an effort that the email address is unique, and that Verisign!!'s shamrock@netcom.com will only be issued once. Adam E. ALLEN SMITH wrote: | | | From: IN%"shamrock@netcom.com" 9-MAY-1996 23:02:01.67 | | >At 19:37 5/9/96, E. ALLEN SMITH wrote: | >> I can see some fascinating legal questions with what, exactly, a | >>VeriSign certificate obligates the company for. Digital signature laws should | >>get interesting - any application of this to the Utah one? | | >VeriSign is going to offer four levels of certs. The first requires only | >uniqueness. For the other three levels, VeriSign will require more and | >better assurances of the correctness of True Name stated on the cert. I | >don't know what form these assurances are supposed to take. | | The first level, in other words, is less of a certification than a PGP | key with self-signature and signature from one other person. It doesn't have | _any_ effort to verify that the email address stated on it is the actual email | address of that nym. Or am I misinterpreting you? | -Allen | -- "It is seldom that liberty of any kind is lost all at once." -Hume
The first level, in other words, is less of a certification than a PGP key with self-signature and signature from one other person. It doesn't have _any_ effort to verify that the email address stated on it is the actual email address of that nym. Or am I misinterpreting you?
All the first level cert means, and nothing more, is "The name associated with this key is unique among the first level keys certified by Verisign." No effort is made to 'verify' the name. If you register your pseudonym with all of the high-profile CA's that allow it, before you first use the nym, it becomes much harder to spoof your nym's key. Assuming, of course, that it is customary for nym's to get their keys certified and for people to check them. Bill Stewart, I believe, informally operates a CA that will sign unique nyms keys. andrew
participants (3)
-
Adam Shostack -
Andrew Loewenstern -
E. ALLEN SMITH