[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: legal question about certs

To: Bob Jueneman <BJUENEMAN@novell.com>
Subject: Re: legal question about certs
From: Steven Bellovin <smb@research.att.com>
Date: Wed, 25 Jun 1997 21:09:17 -0400
Cc: cme@cybercash.com, banisar@epic.org, spki@c2.net

	 Unfortunately, the argument is circular.  If you are concerned
	 about a rogue CA issuing a certificate to someone who never
	 heard of that CA, that CA could invent whatever public/private
	 key pair they wished, and embed that key in the certificate
	 they are issuing!

Yup -- this is an important point, and one I'd mentioned privately to
a few folks.  Without a countersignature by an independent party,
you lose non-repudiation.  That is, if a bank is the sole certifier
of the certificate nominally associated with my bank account, it's
much harder for them to prove to the judge that I made certain withdrawals.
After all, I could claim that that wasn't my certificate, but one they
concocted out of whole cloth.

Prev by Date: Re: legal question about certs
Next by Date: Re: legal question about certs
Prev by thread: Re: non-id certs +++
Next by thread: Re: legal question about certs
Index(es):
- Main
- Thread