should you trust CAs? (Re: dual-use digital signature vulnerability)
David Honig
dahonig at cox.net
Fri Jul 30 22:35:19 EDT 2004
At 02:09 PM 7/28/04 -0400, Adam Back wrote:
>The difference is if the CA does not generate private keys, there
>should be only one certificate per email address, so if two are
>discovered in the wild the user has a transferable proof that the CA
>is up-to-no-good. Ie the difference is it is detectable and provable.
Who cares? A CA is not legally liable for anything they
sign. A govt is not liable for a false ID they issue
a protected witness. The emperor has no clothes, just
a reputation, unchallenged, ergo vapor.
=================================================
36 Laurelwood Dr
Irvine CA 92620-1299
VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP
VOX: (949) 462-6726 (work -don't leave msgs, I can't pick them up)
mnemonic: WIZ GOB MRAM
ICBM: -117.7621, 33.7275
HTTP: http://68.5.216.23:81 (back up, but not 99.999% reliable)
PGP PUBLIC KEY: by arrangement
Send plain ASCII text not HTML lest ye be misquoted
------
"Don't 'sir' me, young man, you have no idea who you're dealing with"
Tommy Lee Jones, MIB
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list