CDR: Re: Public Key Infrastructure: An Artifact...
Arnold G. Reinhold
reinhold at world.std.com
Mon Nov 20 09:10:42 PST 2000
At 12:08 PM +0000 11/19/2000, Perry commented:
>
>[I see you've never paid attention to how easy it is to get a
>certificate, Ben. I suspect I could get one in the name of any company
>with about 20 minutes of unskilled forgery. The level of checking done
>is trivial. This wouldn't be a problem except for the fact that all
>CAs disclaim any and all liability for practical purposes. --Perry]
>
Perry's last sentence gets to the heart of the matter. If CAs
included a financial guarantee of whatever it is they are asserting
when they issue a certificate, then all these problems would go away.
The CAs would have a strong interest in clarifying the semantics of
certificates and would choose technology and verification methods
that optimized the risk vs cost (including difficulty of use)
tradeoff.
I believe the reason this has not happened yet is that various
business interests perceive an opportunity to get the government to
shift all risk to the consumer by snowing legislators with crypto
mumbo-jumbo. That is an even cheaper solution from the business
interests' perspective.
Arnold Reinhold
More information about the cypherpunks-legacy
mailing list