Re: Not a good idea...

[djw@vplus.com (Dan Weinstein)]

On Fri, 8 Mar 1996 13:14:25 -0600 (CST), Alex Strasheim
<cp@proust.suba.com> wrote:

>Who's liable?  Me, Verisign, or Netscape?  All of us?  
>
>I suspect that if I pass credit card numbers to thieves I'll get in
>trouble, but I don't have any assets.
>
>Verisign didn't make any representations directly to the public, and they 
>probably followed the procedure they negotiated with Netscape when they 
>issued me my cert.

"For secure servers, VeriSign currently offers a 'high-assurance'
Class 3 Digital ID for electronic commerce servers. "  This is from
Verisign's home page.  They are saying that this class of certificate
is safe to do commerce with.  

>Netscape put together a complicated high-tech system and told the public
>(which doesn't understand cryptography) that their system was suitible for
>commerce -- it's even in the product's name!  They didn't build in prudent
>safeguards to prevent me from running my forms processing service, which
>is such a trivial thing to set up that it should have been forseen.  (Q:
>I've never gotten a real cert -- do I have to agree to something that
>would prohibit my forms processing business?)

I would think that netscape would only make agreements with CAs that
accepted liability.  I would also think that Netscape would only be
liable if they were found to have put in a CA that they had reason to
believe was not taking due diligence to ensure that the key really
belonged to the company that claimed to own it.

Dan Weinstein
djw@vplus.com
http://www.vplus.com/~djw
PGP public key is available from my Home Page.
All opinions expressed above are mine.

"I understand by 'freedom of Spirit' something quite definite -
the unconditional will to say No, where it is dangerous to say
No.        
           Friedrich Nietzsche