S/MIME keys (was: What Are Some Good Projects For Novices?)

Steve Holden sholden at holdenweb.com
Thu Aug 23 19:10:12 EDT 2001 

"Venkat" <avenkat at myrealbox.com> wrote in message
news:68562b94.0108221909.2a794b85 at posting.google.com...
> Paul Rubin <phr-n2001 at nightsong.com> wrote in message
news:<7xd75ovsbk.fsf at ruckus.brouhaha.com>...
> > avenkat at myrealbox.com (Venkat) writes:
> > > > Thawte gives away personal certs. Yes, free. Signed by a real CA.
You just
> > > > have to provide them with some personal information. If you're
dedicated,
> > > >  you  can also get in on their web of trust. That allows you to have
more
> > > > personal information present in the cert (like your real name).
> > >
> > > Why the hell I need personal cert issued by Thwate/Verisign?
> >
> > So when you send someone signed email, their mail client checks the
> > cert and believes it, rather than throwing a dialog saying it has gotten
> > an untrusted certificate.  Note that those free certs only validate your
> > email address (which of course is enough in many situations) and are
> > only good for a few months.
>
> Use, self-signed certs with life time > 1M years:-)
> Why should we pay money to thse fucken commercial CAs.
>
Well, mostly so that people will trust your certificates. If you signed your
own certificate I would have no more reason to trust it than if you didn't
have a certificate at all.

> >
> > > I can say, all these certs(I call junkies) issued by these CAs are
> > > meta-certs.
>
> well, you contacted some commercial CA for cert. That Commercial CA
> has to do some security checks on the credentials you provided. SO,
> Commercial CA will assign this task to some agencies.
>
> You will get the cert, once that agency provides the positive info abt
> the credentials you submmitted...
>
> Here, the commercial CA is trusting the trust of the agency..
> Hence, Meta Trust:-)
>
Although it has been shown that the commercial agencies can be subverted
(most recently in the Microsoft case that you talk about), in return for the
payment many of them will actually indemnify you against losses you incur.
The larger the payment the greater the indemnity. Of course, none of them
indemnify their free certificates, which seems reasonable.

Utlimately you have to trust *someone*. PGP's ideas in a distributed web of
trust were interesting, but unfortunately there weren't enough PGP users for
indivduals unknown to each other to be able to acquire mutual trust, so the
scheme has pretty much foundered. It would be nice if someone would start a
free "open CA", but sadly there is real work involved in verifying
identities.

Of more concern, of course, is that by default the common browsers don't
check the CA's revocation list to ensure that an apparently valid
certificate hasn't been revoked due to some kind of problem (fraudulently
obtained or issued to wrong party would be the two most common cases). If
there really were a public key infrastructure this would be practical, and
Microsoft wouldn't have had to patch their products to avoid them accepting
the bogus certificates.

you've-got-to-trust-someone-and-i'd rather-trust-verisign-than-you-ly
'rs  - steve
--
http://www.holdenweb.com/

More information about the Python-list mailing list