Sorry, rushed reply!
Eddy Nigg wrote:
On 11/11/2008 04:58 AM, Ian G:
Yes, you are confirming and reinforcing his point: the dominant paridigm
-- to push a concept of a binding of legal name to key -- is making it
difficult for advocates of crypto to gain traction.
It serves a purpose, it's not the only form in current applied PKI on
the web. An email address or domain name is a valid binding too. We've
said that already.
Right, so a binding of a claim in a cert can be one with many forms of
data. Whether there is any "better" or "lesser" data is a question, in
general the most popular things seem to be descriptive names or
domain/email addresses.
And, in particular, the PKI industry's obsession with some concept that
you refer to as "legal identity" is ruining its own market. It's a
fairly simple point he is making.
One reason (there are many) is that there is no "legal identity" in
existence, so efforts to push it run into invisible barriers.
[snip]
Oh really....I expect better from you! We all know what "legal
identities" are, we aren't in the kindergarten anymore, right?
If we are, then it's "he said, she said." If we are not, you can define
this term of yours. :)
There are enough reasons when a relying party needs to know which entity
or identity he/she/it is.
Sure, that's a claim that is frequently made, albeit *only in PKI
circles*. That's what that whole CN is about. Some name that is fairly
clear, and an implied CA claim that there really is only one Paypal in
its list of certs, so you can rely that this is "the one".
(We don't need to go into that whole true-registered-name thing --
Inc/holding/state/... -- that can be done later, offline, if needed in a
real dispute.)
The authority is that of the respective,
governing country. the courts system and legislative is that of the
respective authority (governing country). I believe that you don't have
any better alternative binding than the legal system set up by the
respective authority!
Sadly, this is not how it works. I guess you are talking about
disputing something, right?
The forum of dispute resolution is the one listed in the agreement. The
choice of law is the one listed in the agreement. (I guess you are
thinking of one of those two when you say "authority" ...)
Next: there are probably multiple agreements. There is one between the
CA and the end-user, which permits the end-user to be a relying party.
E.g., as you have agreed to the Verisign RPA, you may look at the green
bar on the Paypal website ;)
Then there is the one between the end user and the website business.
This might or might not be the one that is central in the dispute. Then
there are other agreements that pop in and out in the normal course of
business.
Next: because we are assuming the net (we are, right?) there are often
multiple jurisdictions involved. This might change the nature of the
agreements; although businesses tend to prefer their own courts & law
and so forth, some laws and forums (authorities) don't like that, and
may modify the forums and choices of law, as well as the contracts.
There are also transaction costs, but let's not destroy the sandcastle
before it is built.
The purpose is to identify a person or company up to the extend that
he/she/it can be found and charged if needed. I think that's about it...
Yes, you are almost there. The purpose is to resolve a dispute. The
rest may or may not follow.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
