[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: non-key-sharing

>At 11:38 PM 11/6/97 -0800, Bill Frantz wrote:
>>I get the feeling that there is an underling assumption that key pairs are
>>a scarce resource.  This is certainly not true in the SPKI case, although
>>it may be in the more general digital signature realm.  In the banking
>>case, I specifically mentioned the assumption that the key pair used was
>>specific to the account.
>I suspect that the scarcity of key pairs comes back to an assumption in
>parts that one needs a purchased identity certificate in order to use a key

>pair.  This assumption comes from the business model of a CA, not from
> - Carl
No, thats a conclusion, rather than an assumption.

The assumption is that in order to be able to trust a key pair nominally
associated with someone you have never met and don't know anything about,
that is it necessary to have some trusted third party play some kind of an
intermediary role in vouching for the individual who allegedly holds the
private key.

The trusted third party may or may not testify to the creditworthiness of
that individual -- they may only confirm his identity, AKA his globally
unambiguous name (sorry, Carl). but in order for this identification to have
some viability in the commercial world, there has to be the possibility of
financial recourse in the event the CA screws up.

And since such enterprises don't run on love, the CAs will charge for these

That doesn't mean that your PGP certificates may not be perfectly acceptable
among your circle of friends.. It just means that your bank won't accept
them, and neither will the local five and dime.