[14074] in cryptography@c2.net mail archive
Re: Is cryptography where security took the wrong branch?
daemon@ATHENA.MIT.EDU (Anne & Lynn Wheeler)
Sun Sep 7 23:10:56 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 07 Sep 2003 17:19:24 -0600
To: "James A. Donald" <jamesd@echeque.com>
From: Anne & Lynn Wheeler <lynn@garlic.com>
Cc: crypto <cryptography@metzdowd.com>
In-Reply-To: <3F5B24DE.11625.5138C82@localhost>
At 12:30 PM 9/7/2003 -0700, James A. Donald wrote:
>To the extent that trust information is centrally handled, as
>it is handled by browsers, it will tend to be applied in ways
>that benefit the state and the central authority. Observe for
>example that today all individual certificates must be linked
>to one's true name and social security number if it is to
>receive default acceptance, and analogously for corporate
>certificates.
in the case of SSL domain name certificate .... for both domain name
infrastructure and CA/PKI .... it is is a case of authenticating that the
the web site you think you are talking to is really the web site you are
talking to. The business issue is that the domain name registration and the
CA/PKI are disjoint business operations and the domain name registration
didn't provide for a really good authentication mechanism. As a result when
getting a certificate request, the CA/PKI has to check with the domain name
infrastructure .... map their information out to an external world
identification, and then map the entity making the certificate request out
to the same external world identification.
Out of all this, there is somewhat a request from the CA/PKI industry that
a public key be registered as part of domain name registration (no
certificate, just a public key registration). Then SSL domain name
certificate requests coming into a CA/PKI can be digitally signed, the
CA/PKI can retrieve the authoritative authentication public key (for the
domain name ownership) from the domain name infrastructure and authenticate
the request .... eliminating all the identification gorp (and also done w/o
the use of certificates).
misc. additional recent musings:
http://www.garlic.com/~lynn/2003l.html#60 Proposal for a new PKI model (At
least I hope it's new)
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
