[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The role of trust in certification

On Fri, 13 Feb 1998, Bob Blakley wrote:

-> This is a big part of the problem.  What a certificate actually *says*
-> is something like
-> "By the power vested in me, I now declare this text string and this bit 
-> string 'name' and 'key'.  What RSA has joined, let no man put asunder".

This is a common misconception. Actually, what the certificate *says* is:

"I declare by my own will that this text string which contains information
apparently received from the entity named in it, which/who I never saw, to
be copied as apparently received and formatted by myself in such a way
that it conforms to my own heart's content and self-defined rules which I
can change at any moment now or in the future at will, for which
declaration I provide no guarantee or assurances, to be designated as
'name'; and I also declare under the same conditions decided by myself
that this bit string which I may have tested to verify if it corresponds
to a private counterpart apparently in possession of the same apparent
entity that provided the 'name', to be called 'key', at this apparent
date.  Therefore, I attest of myself as being myself and trustful in all
my deeds and have apparently signed it, which you can verify by using my
public-key apparently identified by this bit string, of which validity and
dependence you know nothing of.  If this declaration is revoked by some
reason I provide no assurances that such revocation will be announced
anywhere at any time, so if you decide to use this declaration for some
purposes now or in the future you are warned that it may not be true or
valid at any time and that you have been so properly warned so that you
are always using it at your own risk and will, even if you download this
declaration at that same moment from my servers and repository. In no
circunstances shall you declare that you ignore the full legal
consequences of the notices herein contained, that you were not properly
trained or capable of doing so, that you were relying upon myself as if
upon an expert counsel or that you could not possibly verify my
declarations as to their validity and so had to rely upon them. What
public-key cryptography has joined, may time and machines be kind to." 

Which, surely, may change some of the points you derive, but is verbatim
what a X.509 cert is -- however leaving still some disclaimers out. 

May this be published and known.



Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
    --- Meta-Certificate Group member, http://www.mcg.org.br ---