CFP: PKI research workshop
Arnold G. Reinhold
reinhold at world.std.com
Mon Jan 14 17:58:56 EST 2002
At 12:09 PM -0500 1/14/02, John S. Denker wrote:
>...
>Returning to PKI in particular and software defects in
>particular: Let's not make this a Right-versus-Wrong
>issue. There are intricate and subtle issues here.
>Most of these issues are negotiable.
>
>In particular, you can presumably get somebody to insure
>your whole operation, for a price. In the grand scheme
>of things, it doesn't matter very much whether you (the
>PKI buyer/user) obtain the insurance directly, or whether
>the other party (the PKI maker/vendor) obtains the insurance
>and passes the cost on to you. The insurer doesn't much
>care; the risk is about the same either way.
>
The point is that the risks are not the same. A CA can lower the cost
of insurance it sells by taking additional precautions to reduce
risk. The CA is also in a better position to estimate the true
premium. A third party has to charge a very high premium since it is
in a poorer position to make an accurate assessment of the risk.
There would be a way for third parties to reduce their risk if some
simple mechanism existed for independent verification of
certificates. I once proposed that all PGP users display a small card
containing their key fingerprint in a window near their front door.
The corporate equivalent would be for organizations to display a hash
of a master signing key in their main and branch lobbies. Anyone
could then verify this key if they wanted to. There might be a bounty
for discovering any irregularity. A network of certificate insurers
might develop who would go from office to office recording
fingerprints and then selling lists by subscription along with a
guarantee of reimbursement for damages up to a certain amount if any
of their data were incorrect.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list