the other scenerio that some certification agencies have expressed (i.e.
licensing bureaus, bbb, consumer report, etc operations) is that in the online
world ... that they would provide an online service .... rather than
certificates designed for an offline world. the online website provides a
superior experience, real-time information, and a better binding between the
certification agencies and the relying parties (i.e. current use of certificates
totally disintermediate the certification authorities and the relying parties
.... except in the scenerio where the certification authority and the relying
party are the same ... in which case the certificates are redundant and
superfulous).
in the shopping experience trust establishment ... trust can be established in a
variety of ways, brand, advertisement, word-of-mouth, previous experience, etc.
certification trust is just one of the many ways of establishing various kinds
of trust. however, any certification trust in the online environment could be
better provided by online certification delivery vehicle ... rather than an
offline (certificate) vehicle (which disintermediates the certification agency
and the relying party).
"Arnold G. Reinhold"
On Wed, 22 Nov 2000 Lynn.Wheeler@firstdata.com wrote:
the other scenerio that some certification agencies have expressed (i.e. licensing bureaus, bbb, consumer report, etc operations) is that in the online world ... that they would provide an online service .... rather than certificates designed for an offline world.
Yes, it seems fairly well established that revocations just plain don't work. Once again, the solution to the problems of offline operation appears to be online operation. -Bram Cohen
I would like to get further information as to why you don't think revocation does not work? I'll admit that in the case of the revocation of Sun's certificates, it was very apparent that the notification process was weak. The other piece, the browser checking of expired/revoked certificates is non-existent but if you properly set up your application, it "should" check the revocation status of both the CA certificate and the subscriber's certificate. Your thoughts? Bram Cohen wrote:
On Wed, 22 Nov 2000 Lynn.Wheeler@firstdata.com wrote:
the other scenerio that some certification agencies have expressed (i.e. licensing bureaus, bbb, consumer report, etc operations) is that in the online world ... that they would provide an online service .... rather than certificates designed for an offline world.
Yes, it seems fairly well established that revocations just plain don't work.
Once again, the solution to the problems of offline operation appears to be online operation.
-Bram Cohen
For help on using this list (especially unsubscribing), send a message to "dcsb-request@reservoir.com" with one line of text: "help".
-----BEGIN PGP SIGNED MESSAGE----- At 04:47 PM 11/22/00 -0800, Bram Cohen wrote:
On Wed, 22 Nov 2000 Lynn.Wheeler@firstdata.com wrote:
the other scenerio that some certification agencies have expressed (i.e. licensing bureaus, bbb, consumer report, etc operations) is that in the online world ... that they would provide an online service .... rather than certificates designed for an offline world.
Yes, it seems fairly well established that revocations just plain don't work.
Once again, the solution to the problems of offline operation appears to be online operation.
And the annoying thing about this is that once we go to needing an online trusted third party to allow us to have secure communications, we may as well chuck the public key stuff and just use symmetric ciphers and the key exchange protocols worked out ten or fifteen years ago. Which makes me suspect that we're just not using public key mechanisms very intelligently yet. We've realized that screws are better for many jobs than nails, it's just that they're so damned hard to hammer in....
-Bram Cohen
--John Kelsey PGP: 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF ``Slavery's most important legacy may be a painful insight into human nature and into the terrible consequences of unbridled power.'' --Thomas Sowell, _Race and Culture_ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use http://www.pgpinternational.com Comment: foo iQCVAwUBOh7WlyZv+/Ry/LrBAQE+eAP9E8RxIl9TAVbWT8CJKGl0V3IN9wMCWs82 wzh3XaSs/YYdGcG/+rEPN+S6y9t8HsSz9vr3dgPwOMDsVvkmBkOQJT+YK86thUiS a4eL2Ea9T2lAj5+gb6jeUhBpqn130C0WxUab5ARZffSOMkZCa7I9V6CfKIwL9Noq fMzDtrkqNXw= =yGFp -----END PGP SIGNATURE-----
On Fri, 24 Nov 2000, John Kelsey wrote:
At 04:47 PM 11/22/00 -0800, Bram Cohen wrote:
Once again, the solution to the problems of offline operation appears to be online operation.
And the annoying thing about this is that once we go to needing an online trusted third party to allow us to have secure communications, we may as well chuck the public key stuff and just use symmetric ciphers and the key exchange protocols worked out ten or fifteen years ago.
That isn't completely true - using public key protocols involves many fewer messages total, and allows for much more decentralized data access - we're using it for Mojo Nation for precisely those reasons, and it's made a fundamental difference in scalability. It isn't quite as revolutionary as one might expect though. PKI for contracts and treaties is also largely overhyped - those have long depended on agreements being widely distributed/notarized/timestamped for their reliability, and the law of contracts is all based on oral agreements. PKI just contributes a bit more evidence (and, apparently, not a crucial part) and making it be a 'legally binding signature' mostly has to do with the technical question of when an agreement goes from being negotiated to legally binding. Sending a piece of mail saying 'ok' can work just as well. -Bram Cohen
participants (4)
-
Bram Cohen -
John Kelsey -
Lynn.Wheeler@firstdata.com -
Mark Scherling