Getting certificates.

Eric Murray ericm at lne.com
Thu Sep 4 07:56:32 PDT 2003


On Wed, Sep 03, 2003 at 08:27:18AM -0700, James A. Donald wrote:
>     --
> SSH server public/private keys are widely deployed.  PKI public 
> keys are not.  Reason is that each SSH server just whips up its 
> own keys without asking anyone's permission, or getting any 
> certificates.

..which means that it still requires an OOB authentication.
(or blinding typing 'yes' and ignoring the consequences).
But that's another subject.


> Now what I want is a certificate that merely asserts that the  
> holder of the certificate can receive email at such and such an 
> address, and that only one such certificate has been issued for 
> that address.  Such a certification system has very low costs  
> for issuer and recipient, and because it is a nym certificate, 
> no loss of privacy.

Verisign had for a number of years an email-only cert.
That is, they verified that the email address had someone
or something that answered email.  I beleive that they
called this a 'Class 1' cert.
 
> The certs that IE and outlook express accept oddly do not seem 
> to have any provision for defining what the certificate  
> certifies.
> 
> This seems a curious and drastic omission from a certificate  
> format.

X.509, PKIX et.al. allow a CA to insert a pointer
to a certificate practice statement, which can define
what the certificate certifies.

> and application of such certificates.  It also, as anyone who  
> tries to get a free certificate from Thawte will discover,  
> makes it difficult, expensive, and inconvenient to get  
> certificates.  

Thwate's making free certs difficult has nothing to do
with the usefulness of certs or X.509 or true names or
whatever, and everything to do with maximizing profit.

Since each cert carries a fixed risk of legal issues
(i.e being sued because they certified X who wasn't X)
Verisign/Thwate want to sell a comparatively few expensive
certs instead of a lot of cheap certs.

Eric





More information about the cypherpunks-legacy mailing list