[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Identity certification (was Re: ANNOUNCEMENT: SPKI ...)

At 11:22 2/26/96, Jueneman@gte.com wrote:

>I'm just saying all this in the spirit of "been there, done that."

I, for one, look forward to your comments, based on your years of experience,
on the proposal I put forth earlier today.


>First of all, we didn't pay adequate attention to trying to ensure that the
>person who was represented in the certificate was uniquely identified. I don't
>recall the details any more, but I seem to remember that we had a name, a
>company affiliation, and a street address -- pretty common stuff based on a
>snail mail view of the world, primarily.


>You may or may not like the geopolitical naming scheme that is often cited as
>an example of a distinguished name in X.500, but I would contend that if you
>want to communicate securely with someone and you don't have the luxury of
>having that person physically hand you a disk with his public keys on it, then
>you had better be pretty sure that he is who you think he is, and not one of
>the other 23,000 William Smiths in the US. Likewise, if you are going to honor
>or trust his digital signature for anything important, you would want to know
>exactly who that person is as well.

This presupposes that you have a Bill Smith in mind, from meeting him
in the physical world, and you're looking for his key.  In fact, I believe
you're describing the X.500 problem, not the X.509 problem.  That is, I knew
someone once and want to find them on the Internet.  Once I've found them,
it's relatively easy to find a public key for them.

In a way, I think the paragraphs of yours I quoted above are anachronistic.

Most of my friends for whom I need public keys are people I've met online.
I've never met them in the physical world, so I have no way to distinguish
one Bill Smith from another.

I know them only through their written words.

If these people digitally signed their messages, then the public key
associated with those signatures is the very best unique name for these
individuals.  It belongs to the mind which composed the words by which
I came to know this person and is a far more direct, solid, immediate
link to that "person" I came to know than would be any name tied to the
physical world.

[The ones I know physically, I obtain keys from in person, for the most part.
The few remaining can establish their identities, for my purpose, by telling
me things only the two of us know, over a secure channel.  So, even in this
case where I have physical-world references to a given person, I don't
need a Distinguished Name.]

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |