[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Self-signed certificates

On Thu, 26 Jun 1997 jar@ornl.gov wrote:

-> Many certificates need no signature by the holder. For example, we want
-> to use SPKI certificates for authorization control in online electron
-> microscopes. A certificate that is issued to the user after he has
-> passed a training test does not need to be signed by the user because
-> the test administrator is the only party that needs to be satisfied
-> that the test was passed properly. 

The point in question is not whether an end user should sign the cert, but
if the user who receives a delegation in that cert should sign the
cert. Two entirely different points. 

If your user does not agree with the cert and thinks he is not qualified,
he may never use the cert. Nothing will happen without his actions.

However, when Jon certifies that Mary is the company's lawyer, Mary is not
an end user because her acts -- or no acts -- in that capacity transcend
herself. She may be "framed" and unwillingly cause a denial-of-service --
by a cert she never knew existed! In this case, even without Mary's
actions, bad things may happen. 

This is the point that has started this thread or "gentle war" as Carl
wrote ;-) 


Ed Gerck
Dr.rer.nat. E. Gerck                        egerck@laser.cps.softex.br
P.O.Box 1201, CEP13001-970, Campinas-SP, Brazil  - Fax: +55-19-2429533