[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificates: limiting your liability with reuse limitations



-----BEGIN PGP SIGNED MESSAGE-----

A. Michael Froomkin writes:
> I know I can put an expiration date on the certificate, but that's not 
> enough.  I can accumulate a lot of exposure in a few seconds, much less 
> weeks.
> 
> I know I can put a reliance limit in the X.509 ver 3 certificate, but 
> that's not enough.  Even a $1 limit could be used many millions of times.
> 
> Is it feasabile to say: Can only be relied on once per day/week/month?  

This sounds like it would present the same exposure problems as an expiration
date, but perhaps be more difficult to impose. As you said above, you can
assume huge liability in a few seconds, even if you're only given a few
seconds a week. Also, I don't immediately see a way to arrange this on the
technical side that doesn't reduce to using something that expires and
replacing/refreshing it periodically. Of course, the net is in some ways
excellent for that sort of application.

How about combining value limits with time limits ?  Over the wire, using
low value limits and replacing them frequently might be a workable solution.

> Is this something the relying parties can reasonably be expected to monitor?

This sounds like a legal question, so I don't think I can offer a useful 
response. 

Futplex <[email protected]>       "I think every player in the NFL should 
	    	have to go through grad school. It would be a great humbler." 
	    -Matt Miller, Cleveland Browns 1979-1983, Ph.D. Georgia Tech 1993

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMPGj8SnaAKQPVHDZAQG/NQf/V5toCNRKaSZjVwACN663gWbq0rysZq3r
7d/XKAZHCUWoaYWS4RkaF101/0t7jEAww+wggrl02MNximN7Ku/CM1sJkDT/Ixzm
KCAQwl96ov3UgBYkol66ubciHRmX897NszCwqEgoc/pcOq2rLvhjskUZXt0WHhU7
U10/00/Zg86kAsCo3xUAB3ci4t9Pk2YJigg5n23vJfuN3j0BpKcGW9B7McP9fm59
V8bBp1CDF3Ey5XwPaaNkwmuYlT7QVyDlEOYu0EppzvQdT2PyXT8B9cAjGR5PO8IJ
xUIkxmXmfPlRxjJVUTSfvf3gKJnK1ax09sPDwNiA6/JAtHXPTo5llw==
=rHvs
-----END PGP SIGNATURE-----