On 03/27/2009 04:40 PM, Kyle Hamilton:
And fortunately I'm glad to inform you that he wouldn't have received a
verified certificate from StartCom. I'm not saying it's imposable with faked
passports to receive certification, however the hooks and jumps the
subscriber has to go through makes it rather difficult. Since there are
easier targets and easier ways to obtain such certification than through
StartCom, I believe that there are none and most likely never will be.
*shrugs* So, you're saying that you're a better arbiter of identity
than the government is.
I have to cut this response short...but to answer the above, is quite
interesting, perhaps surprising, but certainly logical. As a CA we do
receive perhaps the passport and other identity documents, but we can't
solemnly rely on it. This means, a cross-verification with other sources
and verification of the source must happen, including and with
interaction of the subscriber. The passport and other ID docs only
represent the claim made by the subscriber, it's not the evidence for
the successful validation. That's why I explained that those four
non-existent people would NOT have received a verified certificate.
Too bad you're not authoritative.
We are, depending for which purpose.
Putting a non-legal name in the CN is absolutely NOT a correct
implementation. That rightfully belongs in the "Organization" field,
not the common name.
So the common name would have to remain empty in this case which would
lead to approximately the same.
My alternative is simple: validate based on realm membership.
But that's an entirely different context.
In fact, I could take your public key from your
certificate from StartCom and certify that. It wouldn't matter to
anyone except me, and who trusted me.
Exactly. The context and established rules CAs operate in conjunction
with browser, mail and other software is a different one than the one
you are proposing. One doesn't rule out the other however.
X.509's trust model is not antithetical to a web of trust. It just
takes additional UI to do it -- UI which you and Nelson have fought
fang and claw.
Yep.
These places want to use client certificates, but they have no idea
how to do so -- and since I write the software, I maintain the
software, and I haven't been able to get them to agree on a security
policy, I can't write code to implement it.
Ahhh, at least here an established policy and framework exists - some
simply don't like it. But it allows to implement the software and
establish the rules for all participants.
If you want to see an example of a thriving realm which exists outside
the authentication space of what you're willing to certify,
http://forums.xkcd.com/ . All of whose users use pseudonyms, yet
within the pseudonymous realm each pseudonym is unique.
It wouldn't help me if I need to know who the person is, you can't sign
a contract with a pseudonym usually. Binding a real identity to the
possession of a key only strengthens the claim of both when used
universally. Within a specific space this might not be needed.
But, that doesn't matter to you. Your beliefs, your assumptions, your
demands of the world at large and what it's willing to accept are more
sacred and holy than the mitzvahtot contained in the Torah.
That might be quite right ;-)
But neither of the established rules (Torah and PKI) grew on my turf,
I'm only interpreting and implementing.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
