At 11:10 PM 5/9/96, E. ALLEN SMITH wrote:
From: IN%"shamrock@netcom.com" 9-MAY-1996 23:02:01.67
At 19:37 5/9/96, E. ALLEN SMITH wrote:
I can see some fascinating legal questions with what, exactly, a VeriSign certificate obligates the company for. Digital signature laws should get interesting - any application of this to the Utah one?
VeriSign is going to offer four levels of certs. The first requires only uniqueness. For the other three levels, VeriSign will require more and better assurances of the correctness of True Name stated on the cert. I don't know what form these assurances are supposed to take.
The first level, in other words, is less of a certification than a PGP key with self-signature and signature from one other person. It doesn't have _any_ effort to verify that the email address stated on it is the actual email address of that nym. Or am I misinterpreting you?
The only effort they make is that when using the email-based CA, it mails the certificate to the address within, so it's not trivial to get a cert for an address that you don't have access to. (I'm not saying it's impossible, or even hard, just that it requires some skill and effort). - Tim Tim Dierks -- timd@consensus.com -- www.consensus.com Head of Thing-u-ma-jig Engineering, Consensus Development
Tim Dierks wrote:
The only effort they make is that when using the email-based CA, it mails the certificate to the address within, so it's not trivial to get a cert for an address that you don't have access to. (I'm not saying it's impossible, or even hard, just that it requires some skill and effort).
For example, see http://www.digicrime.com/id.html . I believe they got these certificates using the Web, rather than e-mail. I think with e-mail, you'd actually have to be running a packet sniffer or doing an active attack such as DNS spoofing. However, the Web is much, much more convenient. In any case, the page I referenced above is worthwhile reading. Raph
On Fri, 10 May 1996 10:22:24 -0700, timd@consensus.com wrote:
The only effort they make is that when using the email-based CA, it mails the certificate to the address within, so it's not trivial to get a cert for an address that you don't have access to. (I'm not saying it's impossible, or even hard, just that it requires some skill and effort).
I don't believe this is correct. They send you information after you have created the cert verifying that you set it up, but nothing requires a response and the key is transfered via http. Dan Weinstein djw@vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche
participants (3)
-
dan@vplus.com -
Raph Levien -
timd@consensus.com