[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Digital Signature laws



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 10:10 AM 7/1/98 -0800, Bill Frantz wrote:
>I currently use the VeriSign certificates to make a binding between my
>meatspace trust in well established institutions and their electronic
>presences.  Before I send off my credit card number, I check the
>certificate on the page to see if it looks like it was issued to the
>company I think I am dealing with.

You know, I tried that once -- on a page I was about to buy something on -- 
and was told that the page belonged to some non-descript electronic mall 
with no connection to the company I was buying from.  So much for
getting value from the VeriSign certificate.

Meanwhile, VeriSign isn't the authority on any of the pieces of 
information I care about.

One piece I care about is the binding between keyholder and any logo on the 
page -- e.g., a trademark.  The authority on that information is the USPTO 
or some state trademark office.

The main piece I care about is the company's business practice summary: its 
reputation.  I know of no authority on that, except word of mouth from 
satisfied customers.  That's a web-of-trust security model, very close to 
the original PGP model.

I might also care about the association between the keyholder and 
the DNS name where that web page was to be found.  The authority on that is 
the DNS zone manager, not some commercial CA.

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQA/AwUBNZqt8pSWoQShp/waEQLiEQCeI6OfDGshJrUPRRv6aTFvSrZYj94AoN41
P3NFKJqif4ChjvKX5pHaVdUT
=qkKP
-----END PGP SIGNATURE-----


+------------------------------------------------------------------+
|Carl M. Ellison       cme@acm.org    http://www.clark.net/pub/cme |
|    PGP: 08FF BA05 599B 49D2  23C6 6FFD 36BA D342                 |
+-Officer, officer, arrest that man. He's whistling a dirty song.--+
From ???@??? Wed Jul 01 18:08:49 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
	by ice.clark.net (8.8.8/8.8.8) with ESMTP id RAA28190
	for <cme@clark.net>; Wed, 1 Jul 1998 17:47:42 -0400 (EDT)
Received: from ice.clark.net (ice.clark.net [168.143.0.12]) by mail.acm.org (8.8.5/8.7.5) with ESMTP id RAA76430 for <cme@acm.org>; Wed, 1 Jul 1998 17:39:38 -0400
Received: from carltecra (cme.clark.net [168.143.8.144])
	by ice.clark.net (8.8.8/8.8.8) with SMTP id RAA27602;
	Wed, 1 Jul 1998 17:46:48 -0400 (EDT)
Message-Id: <3.0.3.32.19980701174524.032fa698@pop3.clark.net>
X-Sender: cme@pop3.clark.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Wed, 01 Jul 1998 17:45:24 -0400
To: Bill Frantz <frantz@netcom.com>
From: Carl Ellison <cme@acm.org>
Subject: Re: Digital Signature laws
Cc: Carl Ellison <cme@acm.org>, "Bob Jueneman" <BJUENEMAN@novell.com>,
        spki@c2.net, Sheri Bischoff <sjb8@BYUGATE.byu.edu>
In-Reply-To: <v0311079eb1c029d512c8@[207.94.249.99]>
References: <3.0.3.32.19980701063827.0337d8c8@pop3.clark.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 10:10 AM 7/1/98 -0800, Bill Frantz wrote:
>I currently use the VeriSign certificates to make a binding between my
>meatspace trust in well established institutions and their electronic
>presences.  Before I send off my credit card number, I check the
>certificate on the page to see if it looks like it was issued to the
>company I think I am dealing with.

You know, I tried that once -- on a page I was about to buy something on -- 
and was told that the page belonged to some non-descript electronic mall 
with no connection to the company I was buying from.  So much for
getting value from the VeriSign certificate.

Meanwhile, VeriSign isn't the authority on any of the pieces of 
information I care about.

One piece I care about is the binding between keyholder and any logo on the 
page -- e.g., a trademark.  The authority on that information is the USPTO 
or some state trademark office.

The main piece I care about is the company's business practice summary: its 
reputation.  I know of no authority on that, except word of mouth from 
satisfied customers.  That's a web-of-trust security model, very close to 
the original PGP model.

I might also care about the association between the keyholder and 
the DNS name where that web page was to be found.  The authority on that is 
the DNS zone manager, not some commercial CA.

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQA/AwUBNZqt8pSWoQShp/waEQLiEQCeI6OfDGshJrUPRRv6aTFvSrZYj94AoN41
P3NFKJqif4ChjvKX5pHaVdUT
=qkKP
-----END PGP SIGNATURE-----


+------------------------------------------------------------------+
|Carl M. Ellison       cme@acm.org    http://www.clark.net/pub/cme |
|    PGP: 08FF BA05 599B 49D2  23C6 6FFD 36BA D342                 |
+-Officer, officer, arrest that man. He's whistling a dirty song.--+
From ???@??? Wed Jul 01 17:45:23 1998
To: Bill Frantz <frantz@netcom.com>
From: Carl Ellison <cme@acm.org>
Subject: Re: Digital Signature laws
Cc: Carl Ellison <cme@acm.org>, "Bob Jueneman" <BJUENEMAN@novell.com>, spki@c2.net, Sheri Bischoff <sjb8@BYUGATE.byu.edu>
Bcc: 
X-Attachments: 
In-Reply-To: <v0311079eb1c029d512c8@[207.94.249.99]>
References: <3.0.3.32.19980701063827.0337d8c8@pop3.clark.net>
X-Eudora-Signature: <Home Anonymous>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 10:10 AM 7/1/98 -0800, Bill Frantz wrote:
>I currently use the VeriSign certificates to make a binding between my
>meatspace trust in well established institutions and their electronic
>presences.  Before I send off my credit card number, I check the
>certificate on the page to see if it looks like it was issued to the
>company I think I am dealing with.

You know, I tried that once -- on a page I was about to buy something on -- 
and was told that the page belonged to some non-descript electronic mall 
with no connection to the company I was buying from.  So much for
getting value from the VeriSign certificate.

Meanwhile, VeriSign isn't the authority on any of the pieces of 
information I care about.

One piece I care about is the binding between keyholder and any logo on the 
page -- e.g., a trademark.  The authority on that information is the USPTO 
or some state trademark office.

The main piece I care about is the company's business practice summary: its 
reputation.  I know of no authority on that, except word of mouth from 
satisfied customers.  That's a web-of-trust security model, very close to 
the original PGP model.

I might also care about the association between the keyholder and 
the DNS name where that web page was to be found.  The authority on that is 
the DNS zone manager, not some commercial CA.

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQA/AwUBNZqt8pSWoQShp/waEQLiEQCeI6OfDGshJrUPRRv6aTFvSrZYj94AoN41
P3NFKJqif4ChjvKX5pHaVdUT
=qkKP
-----END PGP SIGNATURE-----