A crazy thought?

[Udhay Shankar N]

At 06:28 AM 5/27/2007, Allen wrote:

>Validating a digital signature requires getting the public key from 
>some source, like a CA, or a publicly accessible database and 
>decrypting the signature to validate that the private key associated 
>with the public key created the digital signature, or "open message."
>
>Which lead me to the thought of trust in the repository for the 
>public key. Here in the USA, there is a long history of behind the 
>scenes "cooperation" by various large companies with the forces of 
>the law, like the wiretap in the A&TT wire room, etc.
>
>What is to prevent this from happening at a CA and it not being 
>known for a lengthy period of time? Jurors have been suborned for 
>political reasons, why not CAs? Would you, could you trust a CA 
>based in a country with a low ethics standard or a low regard for human rights?
>
>Which lead me to the thought that if it is possible, what could be 
>done to reduce the risk of it happening?

This (if I'm understanding you correctly) is exactly the thing that 
the web of trust [1] is intended to address. One issue with the web 
of trust is how to bootstrap it. My understanding is that in the case 
of PGP, this was handled by Zimmermann publishing his public key in 
the (dead-trees) version of his book.

Udhay

[1] http://en.wikipedia.org/wiki/Web_of_trust

-- 
((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com