Honestly, a single disgruntled employee can already send "fully authorized" POs all over the map, as it stands right now.
That's what Sarbanes-Oxley is supposed to address -- it requires internal auditing on a constant, continual basis. And remember... a key can be its own identity. The Freenet project was designed around this idea. Even if the signer is unknown, the fact that the signature exists means that any other signatures with the same key come from the/a holder of that private key. This allows that key to build a reputation over time, even if no nym other than the keyID is ever linked, bound, or assigned to it. -Kyle H On Thu, Dec 18, 2008 at 4:20 AM, Anders Rundgren <anders.rundg...@telia.com> wrote: > Kyle, > I fully agree with your conclusions. > IMO a signature's primary function is to provide a mark of authenticity > to something. If the signature is associated with an unknown signer > the value of the signature becomes rather limited. > > The Qualified Certificate concept is based on the strange idea that > because the CA is liable to very high amounts of money, you can > "trust" such signatures and thus do advanced business with total > strangers. What the designers of QC didn't think of is that anybody > can get a QC without being checked to be a good payer, dependable > vendor, etc. If there is discomfort in a business relation, the CA has > no means to rectify things making the value of the high liability very > limited. > > IF people started to believe that QC actually works as described we would > soon be in a very bad position since a single disgruntled employee could > send "fully authorized" POs all-over-the-map. > > PKIX took this to another extreme by publishing an informational standard > for liability with is one of the most ridiculous things I have ever seen > http://www.ietf.org/rfc/rfc4059.txt > since it doesn't deal with accumulation!!! The motive behind this RFC > was "to increase the acceptance of certificates" :-) > > Anders _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
