Lie in X.BlaBla...
Eric Murray
ericm at lne.com
Fri Jun 1 17:53:29 EDT 2001
On Fri, Jun 01, 2001 at 09:43:50AM -0700, Greg Broiles wrote:
> At 09:58 AM 6/1/2001 +0800, Enzo Michelangeli wrote:
> > > At 07:22 AM 5/31/2001 +0800, Enzo Michelangeli wrote:
> > >
> > > >Besides, it would be idiotic to grant access to information or
> >authorization
> > > >for a transaction to someone, just because he or she has presented a
> >"public
> > > >key certificate": authentication protocols require possession of the
> >private
> > > >key. Those legislators just don't know what they are talking about.
> > > >Scary.
> > >
> > > The statute didn't say "just because" or describe a technical architecture
> > > for an access control system - it criminalized the presentation of a
> > > certificate without "owning" the corresponding private key.
> >
> >Uhm... So, which devious use of someone else's certificate were those guys
> >trying to address? Also a bona fide certificate server could fall afoul of
> >such law.
>
> They were trying to address any fraudulent (not "devious") use of a
> certificate to gain access or information, without regard to the technical
> details.
I'm not a lawyer but I read it the way Greg does.
Intent is required, so simply sending a cert that's part of a chain
and which you don't hold the corresponding private key for, or
acting as a directory, isn't illegal.
But I'd bet that some enterprising DA, given a case where someone
sends four certs in a chain and got the EE cert by fraudulent means, will
charge them with four counts of violating this law.
Eric
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list