[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The role of trust in certification


At 04:59 PM 2/13/98 -0500, Bob Blakley wrote:
>I think the answer is that it's what a Certificate *says* that establishes
>a historical context for evaluating trust decisions.  The first time I receive
>a certificate, my trust in the parties "behind" the certificate is based on
>blind faith.
>The second and subsequent times I rely on the same certificate, the binding
>between the CA key and the acceptor key, and the binding between the acceptor
>key and a signed document, combine to give me confidence (assuming I believe
>in the strength of cryptography; a whole other discussion) that I'm dealing
>with the *same* parties with whom I have a past history.  This allows me
>to make trust decisions in the same way I do in the real world with people
>I actually know: on the basis of my observations of their past behavior.

Am I missing something here?

The same characteristic is available with a naked public key, with no 
certificate, right?

What you really count on in this logic is that the person/machine operating 
the private key is the same in the different instances.  The possession and 
control of a private key is outside the control of a CA and certainly of a 

 - Carl

Version: PGP for Personal Privacy 5.5.3


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |

Follow-Ups: References: