A crazy thought?
Jim Dixon
jdd at dixons.org
Wed May 30 13:22:07 EDT 2007
On Sat, 26 May 2007, Allen wrote:
> Validating a digital signature requires getting the public key from
> some source, like a CA, or a publicly accessible database and
> decrypting the signature to validate that the private key associated
> with the public key created the digital signature, or "open message."
Yep.
> Which lead me to the thought of trust in the repository for the
> public key. Here in the USA, there is a long history of behind the
> scenes "cooperation" by various large companies with the forces of
> the law, like the wiretap in the A&TT wire room, etc.
>
> What is to prevent this from happening at a CA and it not being
> known for a lengthy period of time? Jurors have been suborned for
> political reasons, why not CAs? Would you, could you trust a CA
> based in a country with a low ethics standard or a low regard for
> human rights?
The CA certifies that X is your public key. It doesn't know what your
private key is.
If the CA starts handing out false public keys - which is the worst
that it could do, right? - it will find itself instantly distrusted.
Everybody in the world will be able to see that the CA used its private
key to sign a false statement. The offended party need only put the
false declaration up on the Web.
--
Jim Dixon jddixon at gmail.com cellphone 415 / 570 3608
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list