[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [E-CARM] PKI, CAs, TTPs &c.

To: Lynn.Wheeler@firstdata.com
Subject: Re: [E-CARM] PKI, CAs, TTPs &c.
From: Carl Ellison <cme@Cybercash.COM>
Date: Fri, 27 Mar 1998 10:30:57 -0500
Cc: cme@Cybercash.COM, dpkemp@missi.ncsc.mil, cert-talk@structuredarts.com, cme@Cybercash.COM, spki@c2.net
In-Reply-To: <882565D4.0050C816.00@lnsunr02.firstdata.com>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----

At 06:52 AM 3/27/98 -0800, Lynn.Wheeler@firstdata.com wrote:
>
>i believe so .... we actually have a distinction proposed that any
>digitally signed
>document attesting to the validity of a public/private key pairing is a
>"certificate"
>
>... the distinction is that a client (in the bank case) sends (effectively)
>a self-signed
>certificate to the bank (CA) as part of certification process
>(demonstrating that the client
>has the private key that corresponds to the public key in the certification
>process) ...

This is a good step, but not all CAs do this, so we need to continue
telling people to do this.

>i.e. in effect all CAs that require proof by the client that the client has
>the private key
>... utilize some form of self-signed certificate (i.e. something signed by
>a private
>key attesting to something about the client's public key).
>
>in this particular financial case, the (financial institution) CA may or
>may not turn
>around and issue a certificate further certifying something about the
>client's
>public key ... and even if they do issue such a certificate  ... it
>doesn't mean that the client is required to return the certificate to the
>financial institution/CA ... whenever the client is executing a digitally
>signed
>transaction with the issuing FI/CA.

When I got a replacement ATM card, I had to go to the branch bank where I 
opened my account and where my signature was on file, sign a card in their 
presence, show them picture IDs, ..., and then they issued me a new ATM 
card.  I would be very annoyed with any bank that failed to protect access 
to my account by such procedures.  In particular, I would take my money out 
of any bank that issued the equivalent of ATM cards by an on-line-only 
procedure.  So, for issuing the cert giving me access to money, I would want 
at the very least to have my bank demand I come in to the brick & mortar 
branch, prove my access rights, and get a long random number -- to be used 
once (signed by my RSA key in a message asking for the new certificate).

Of course, this requirement goes away if I'm opening an account from 
scratch.  In that case (where there's no money already in the account), I'd 
be delighted if my bank allowed me to open the account on-line with a simple 
digitally signed message.

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQCVAwUBNRvGMBN3Wx8QwqUtAQEYCwP/QGJ9ky9pMLCTdKdJynIXybOy/7j8S16P
y8bxGgqbiZG1t+fw+vqy313H93G9DHVT+KyLCECFLJzwQSIOXgvxj1HQ/KgsJRVG
kAhbPrJOg9RQ6w+3+EUTztMpiVX78tnzJ1UGBgdib4fAawvj1+8S7fbSLNkVEcsd
8rgF31u1rD8=
=hzTT
-----END PGP SIGNATURE-----

+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+

Follow-Ups:

Re: [E-CARM] PKI, CAs, TTPs &c.

From: Carl Ellison <cme@Cybercash.COM>

References:

Re: [E-CARM] PKI, CAs, TTPs &c.

From: Lynn.Wheeler@firstdata.com

Prev by Date: Re: [E-CARM] PKI, CAs, TTPs &c.
Next by Date: Re: [E-CARM] PKI, CAs, TTPs &c.
Prev by thread: Re: [E-CARM] PKI, CAs, TTPs &c.
Next by thread: Re: [E-CARM] PKI, CAs, TTPs &c.
Index(es):
- Main
- Thread