[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificates/Anonymity/Policy/True Names



Hello Michael Froomkin <[email protected]>
  and Rich Salz <[email protected]>
  and [email protected]

Original reason at end (after the reply).

> But this is precisely the issue: what does the *certificate* get any of 
> these people that a simple digital signature does not provide?

Protection from spoofing.

> On Sat, 19 Aug 1995, Rich Salz wrote:
> 
> > I think there are many people who might be willing to use an
> > "anon CA" should it exist:
> > 	Whistleblowers, perhaps Deep Throat would have used email

Certification is needed to avoid another person intercepting, re-signing,
and substituting hir own key.

> > 	Any number of writers who have used psuedonyms and now want to
> > 		get paid in ecash; Mark Twain?

Certification is needed to avoid another person diverting the ecash
(a disputed unsigned key practically useless). In fact a much simpler
attack is denial-of-service: simply dispute the key (send another one
to the keyservers), and let the resulting uncertainty cut off the profits.


Also, if you insist on govt-is-root, you need certified pseudonyms
to set up a pseudonymous CA (ie a CA whose real identity is unknown).


Hope that makes sense...

Jiri
--
If you want an answer, please mail to <[email protected]>.
On sweeney, I may delete without reading!
PGP 463A14D5 (but it's at home so it'll take a day or two)