[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: legal question about certs

I have an application for SPKI certs where subject signing doesn't make
sense.  Consider an authority which checks program publishers and issues
"seals of approval".  Each publisher generates a code signature with it's
private key.  The authority issues SPKI certs saying that based on its
review procedures that the certified signer obeys good coding practices and
their code is unlikely to format your hard disk.

A verifier accepts the certs and checks the signatures on the code.  The
verifier logs which signature it checked, so responsibility for bad things
can be reflected back to the publisher (as well as the authority).

Now why does the publisher even have to know about the authority, much less
acknowledge it?

Bill Frantz       | The Internet was designed  | Periwinkle -- Consulting
(408)356-8506     | to protect the free world  | 16345 Englewood Ave.
frantz@netcom.com | from hostile governments.  | Los Gatos, CA 95032, USA