[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Summary Trust x Delegation (fwd)

> If my understanding is correct, please describe in specific detail how 
> the SPKI delegation mechanism is any less secure or robust than the 
> real-world authorization and delegation mechanisms upon which human
> civilization is currently built.
> 	-Michael Robinson

(The first mail probably didn't arrive, but if it did, sorry for
this duplicate)

Well, suppose your friend Alice certfies a cert from her friend Bob,
and that cert from Bob says he knows a shop where they sell a product
X, which you 're looking for for a long time. The cert contains the
public key of the shop, so you and the shop can sign an agreement to
sent X to you for some (prepaid) money. 
-> This is the SPKI way, isn't it? But it is not so secure, I think,
   because you can't really trust that signature.

In real world, you would go to that shop. Or you search their phone
number in the Yellow Pages so you know if it's a real shop, and ask
if they send a fax to you. (Not extremely safe but often enough.)
Or if you know a good CA who happened to certify the shop, you 're 
safe too if legislation is OK. 
And as far as I understand MC, you would ask that shop to send you
a private MC, a program which will do authentication for you (I hope 
I'm right, Ed Gerk).

I hope this makes sense...

Thanks for the trouble of explaining this to me,