[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [E-CARM] PKI, CAs, TTPs &c.

A 16:44 27/03/98 -0300, vous avez écrit :
>Hell will freeze over before I'll use a crypto digital signature
>system that relies on a third party to generate key pairs, because
>the whole idea of non-repudiation rests on the concept that the
>private key is *never* in the hands of anyone *except* its
>legitimate user, and this certainly includes the key generation

I understand an I am sympathetic with your concern,
but I would like to insist that 
  1. I was just giving an example to illustrate that there is no single
	answer, and in this real life example :
  2. the "personalization" machines used for the generation of the secret
	and "burning" in the smart-card silicium never let this secret
	leak out of the "smart-card" itself. the admin and opeartors
	never have access or a copy of this secret.
  3. these machines/devices are "certified" after severe testing and only
	operated by "approved" entities
  4. I trust a lot more such a machine than a standard PC connected
	to the INternet, where a malicious program can easily steal the
	secret while it is just generated or whenever it is used to sign
  5. 25 million silly french people, do make payments several times
	a week for over ten years now with such a scheme.
  6. I am not asked to trust of fear this mechanism, I am just proposed
	a payment card with a paper writen contract which specifies
	- the service itself
	- the responsibilities (the service provider ones and mine)
	- the liability of each party.
	Of course I am free not to use payment cards and cash only,
	I just have not to apply for a payment card.
	Alternately I can open an account in foreign bank and have
	the >10 times (in measured amount of FF or $ of frauds) less
	secure magnetic strip cards used for example in the US :-)

     This is really representative, as I will never buy a certificate
	in order to "do crypto" but in order to purchase, buy,
	pay, send my tax forms, contract etc... and have this accepted
	by the other parties
In theory you are right, in practice you will probably do what I am doing,
use widely deployed and convenient services with a good contract to protect
you (and not care much about theory).


-- PAP

PAP: mailto:pays@globeid.com                http://www.globeid.com/
tel: +33 (0) 156 541 900	                fax: +33 (0) 156 541 919