Five Theses on Security Protocols

John Levine johnl at iecc.com
Sat Jul 31 13:17:19 EDT 2010


Nice theses.  I'm looking forward to the other 94.  The first one is a
nice summary of why DKIM might succeed in e-mail security where S/MIME
failed.  (Succeed as in, people actually use it.)

>2 A third party attestation, e.g. any certificate issued by any modern
>  CA, is worth exactly as much as the maximum liability of the third
>  party for mistakes. If the third party has no liability for
>  mistakes, the certification is worth exactly nothing. All commercial
>  CAs disclaim all liability.

Geotrust, to pick the one I use, has a warranty of $10K on their cheap
certs and $150K on their green bar certs.  Scroll down to the bottom
of this page where it says Protection Plan:

http://www.geotrust.com/resources/repository/legal/

It's not clear to me how much this is worth, since it seems to warrant
mostly that they won't screw up, e.g., leak your private key, and
they'll only pay to the party that bought the certificate, not third
parties that might have relied on it.

R's,
John

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list