[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Verisign and MITM
> An interesting "direct demonstration" of this would be to get a certificate
> generated for a well-known company, institution, or political candidate.
> This would demonstrate the flaws in the e-mai/fax/snailmail process like
> nothing else.
That wasn't quite the point. If I submitted a key and
paperwork for the key claiming to be Jim Bidzos, and they gave me a
cert for that, that wasn't my point. My point was simply the technical
linking of the paperwork and the key. I figured that a relatively easy
way to fix that would be to require an MD5 of the key included with
the faxed paperwork. It has been mentioned to me though that an MITM
would be noticed once verisign sent me back a signed cert and it
didn't work with my key.
> (Tangential note: Of course, my fear is always that exposing such flaws
> shows that "we need a national identity system." After all, what Sameer is
> describing is implicit in the fact that neither e-mail, nor a fax, nor
> snail mail, is proof that an entity exists, or that the paperwork
> represents the entity. That's a tough nut to crack, absent an "is-a-person"
> or "is-an-institution" credentialling system.)
> --Tim May
> Views here are not the views of my Internet Service Provider or Government.
> Timothy C. May | Crypto Anarchy: encryption, digital money,
> [email protected] 408-728-0152 | anonymous networks, digital pseudonyms, zero
> Corralitos, CA | knowledge, reputations, information markets,
> Higher Power: 2^756839 | black markets, collapse of governments.
> "National borders are just speed bumps on the information superhighway."
sameer Voice: 510-601-9777
Community ConneXion FAX: 510-601-9734
The Internet Privacy Provider Dialin: 510-658-6376
http://www.c2.org (or login as "guest") [email protected]