[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
-----BEGIN PGP SIGNED MESSAGE-----
At 10:42 AM 11/11/97 -0700, Bob Jueneman wrote:
>I don't think that the keys themsleves are scarce. Rather, it is that
>certificates are expensive, because of the administrative burden and
>liability implications of binding of the key to anything at all, whether an
>"identity" or a set of capabilities. (I'm using the term certificate in the
>most generic sense, not tied to X.509 or any other format.)
>You can certainly make certificates inexpensive, but only by making them
>essentially worthless to the relying party.
I disagree. If I issue a free name certificate binding the ASCII string
"Jim" to some key and you and I have a phone discussion during which I tell
you I'll be sending you my friend's Jim's cert, I can then send you that
name cert and you can use it with confidence. The fact that I had no
significant cost doesn't invalidate my use of digital signatures. Rather,
what makes my low cost signature valid (for end use signatures as well as
for certificates) is that I'm too small a fish in this ocean of signers to
be singled out for attack.
If you rule out that possibility, then you have to rule out any and all
digital signatures I might make. Certificates are nothing special -- unless
your business model says they should be.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
-----END PGP SIGNATURE-----