[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificates, Attributes, Web of Trust

At 7:11 PM 10/5/95, Jeff Weinstein wrote:

>  How about if the systems allows you to get a certificate that
>has any name in it that you want, where the issuer makes no
>claims about the identity of the owner of the certificate?
>How about if the software lets the user decide which CAs they
>will accept certificates from?  Given these two features,
>would you still consider requiring a certificate to be bad?

Let's make sure what we mean by these two points:

1. "...allows you to get a certificate that has any name in it that you
want, where the issuer makes no claims about the identity of the owner of
the certificate?"

I would expect that a certificate for "%63rrW209neU6q!" would be issuable
for a miniscule amount of money, and as many of these as are desired.

(No, I'm not saying "Verisign" must offer certificates for very low cost,
only that there be no built-in costs, or built-in time delays and
processing delays, that would prevent "Tim's Really Cheap and No Questions
Asked Certificate Service" from issuing such certificates, cheaply and
rapidly (in seconds, or less, as some applications will need this, if other
services "demand" certificates).

2. "...software lets the user decide which CAs they will accept
certificates from?"

Fine, provided the following CAs are acceptable:

-- an "automatic" certificate granter, essentially meant only to satisfy
protocols which require certificates

-- a certifier for the Mob, which sells certificates for some fee

-- the application itself should be able to generate certificates
immediately...call this the "null certification."

It is true that some of these example seem to "undermine" the whole purpose
of certificates, but this is precisely my point: if I want a key to be
certified, I will determine the conditions under which I want it to be
certified. Other parties are free to meet my conditions if they wish to do
business with me, or not, as the case may be.

The "null certification" is thus very important.

Naturally, I think this null certification makes the idea of _requiring_
certification moot.

Will Netscape allow this?

--Tim May

Views here are not the views of my Internet Service Provider or Government.
Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."