2009/3/27 Eddy Nigg <eddy_n...@startcom.org>: > By the way, I'm *absolutely disgusted* by seeing the CN field be > "Startcom Free Certificate Member". > > Perhaps you haven't used S/MIME certs from other providers then.... :-)
"Thawte Freemail Member". "Startcom Free Certificate Member". Same difference. I'm not looking for who issued the certificate, I'm looking for the email address. (I'm the user who's trying to figure out if I have a certificate for a given email address.) > But of course it's clearly aimed at getting the subscriber to validate his > identity. It's signaling that this certificate has no other validated > attributes. Performing the validation serves a dual purpose here. First of > all we believe that validated identities may solve one of the problems of > in-authenticity on the Internet and we are clearly promoting it, second it > serves a business purpose (which is opt-in) and which nobody denies. sure. by making it impossible to use, impossible to administer in day-to-day life. Keep it Simple. You're inconveniencing the person that the person is communicating with, not the person himself. This doesn't lead to that third party saying "hey, get your name in this thing", it leads to that third party not wanting to use the system at all. I'm also going to state, once more: your Assumptions (in this case, your Beliefs) are what are making this system NOT WORK. Your Beliefs are what are preventing people from wanting to participate. Sure, you set the rules, you set the UI... but nobody wants to play your game. See, Eddy, the thing that I don't understand is this: you don't want to authenticate *identities*, you want to "authenticate" *only* *legal identities*. This fails for any number of reasons, most notably that someone can be fired for what s/he does on his/her off-hours. A bank manager can't write Harry Potter fanfiction. A Department of Revenue employee can't get support for his or her alcoholism (there's a reason they call it "Alcoholics Anonymous" -- check your last name at the door). Oh, and a flight attendant can't post about unwanted sexual harassment by passengers. There are any number of reasons why people don't want to use their legal names online -- and you know what? They shouldn't have to. (Not to mention the link that Ian posted, about the US State Department issuing 4 valid passports to 4 fraudulent applications all made by the same man, which was made possible by having a little bit of information about 4 people who were -- fortunately -- not real. Identity theft is *common*, though. Hell, a recent episode of ManFacts discussed how to forge someone's fingerprints based on beer bottles at the bar.) I've made the same arguments for years, and you still don't understand why nobody wants to play your game. I've bitched about the UI, and I'm repeatedly told "talk to the UI developers". The problem can't be solved by talking to the UI developers -- the problem can only be solved by the CAs and the UI developers working in concert with each other. THIS is why your concept of authentication fails -- because the policies that you are trying to impose are policies that are harmful to the people you're trying to impose them on! And then they waste the time of everyone else, because the UI only shows the CN, and because you refuse to let the CN be the email address, instead showing that there are many people who have the same common name -- when you're not even supposed to be signing any certificate with any attribute you don't know, and you don't know their common name. All you know is their email. So you're... giving them *another identity*, with your certification. -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
