[607] in WWW Security List Archive
Re: Netscape Changes RSA tree
daemon@ATHENA.MIT.EDU (Taher Elgamal)
Fri Apr 21 16:07:41 1995
To: www-security@ns1.rutgers.edu
From: Taher Elgamal <elgamal@netscape.com>
Date: 21 Apr 1995 15:44:36 GMT
Errors-To: owner-www-security@ns2.rutgers.edu
I think we are mixing a certificate with a digital signature. A
certificate is a proof of identity attached to the use of a public key.
There is no reason for a single proof of identity, since we already have
several. The fact that one can prove their identity in a bank using a
different document from a proof at the airport telss us that each
"entity" needs to have its "trusted" method of verifying the identity.
A digital signature on the other hand is a proof that a document was
signed with the underlying certificate and name and that it has not
changed since the signature.
The method of "binding" the identity with the public key is almost
arbitrary here and can be done in many different ways. As a matter of
fact your digitized "hand written" signature can be a part of the
identity portion of the certificate.
I believe that we will need multiple levels of trust for certificates, a
hierarchy, however, is a convenient method of verifying the trust level
associated with a particular certificate.
By the way, Netscape supports any certificate under the RSA tree --
including other CA's. Some roots under the RSA tree are included in the
software for convenience, and it is true that future releases will
supprto dynamic importing of any root of choice.
--
Taher Elgamal
Chief Scientist
Netscape Communications Corp.
(415) 528 2898
elgamal@netscape.com
