On 11/29/2008 02:37 PM, Eddy Nigg:
Which they are indeed permitted to do, as long as they state that in
their procedures, and their auditor agrees that they have met criteria.
Eddy, other than your need to be colourful, what was the point you were
trying to make?
Well, CAs MUSTN'T have private keys of end user certificates, except in
case of a properly implemented key escrow service and with the consent
of the user. But if you really have to ask this question I'm afraid that
the understandings about this and other subjects are probably too far
apart between us in order to have any fruitful discussion.
Perhaps I may add, that I'm not aware of any WebTrust, ETSI or similar
audit they (Skype) performed. Can you point me to it? Also where is
their (CA) policy?
I understand your interest in making CAs superfluous, however the CAs
perform various services only a third part is supposed to perform
(separation of different aspects which makes up good security):
- software (cryptography and usability)
- issuing and validating instance
- user (control over his private keys)
In case of Skype they are the software vendor and control the software,
the issuing instance and also the user (because they control what
apparently seems to be private keys of users?). This is very similar to
dictatorship and similar regimes where no separation exists...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto