[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reasonable validation of a software package



At 1:12 PM -0700 7/18/96, Carl Ellison wrote:

>
>The problem people overlook is that a CA binds a public key to a name but
>the name is in the CA's name space.  For me, a verifier, to derive any
>value from a certificate binding (key,name), the name has to be in *my*
>name space.
>
>If there were such a thing as a global namespace meaningful to everyone,
>then we could both use it.  That's the X.500 falacy/pipe-dream.

Think of the common name on a certificate as if it were a first-come,
first-served serial number of alphanumeric form. There's no reason to
believe that John Smith is YOUR John Smith. Your John Smith might tell you
he's John Smith 37. It's kinda like vanity license plates.

The alternative is every privacy fan's nightmare--embedded SSNs or some
such in certificates.

Some of the problems, of course, will be of the users' own making and there
they get to pay their money and take their choice. What I mean is that you
can optionally include or suppress your e-mail address in Type I
certificates, and real address in Type IIs. If you include it you improve
the chances of being the "right" John Smith someone is after. If you prefer
privacy you will also be less accessible. I see nothing unusual about
that--after all, people with unlisted phone numbers are ultimately
inaccessible except (pretty much) to those to whom they give the info.

>
>The fact is, no global name space could be held in one human's mind, so
>there's no way a global name space could be meaningful to me.

Nor is there any reason it should be. It isn't, now.

>
>So, to use a certificate from a CA, I need to map a name from its name
>space (DN) into a name in my name space (nickname).  Every time I've looked
>at that process, I've had to have a secure channel over which to learn from
>the person I call by that nickname what DN he goes by.

Why does it have to be a secure channel? Why can't it be published (for
instance by including the address in the certificate)?

>If I have that
>secure channel, then he could tell me his public key fingerprint ove that
>cnnel -- and I wouldn't need the CA.

Why wouldn't you use the certificate to bind the public key to the name and
address? What need would there be for fingerprint communication?

How is this different from 20 John Smiths in the phone book at 20 different
street addresses? I'd better know the address of the John Smith I want if
I'm to get his phone number from a directory.

Note that I'm not attacking what you say. There's clearly something you're
getting at that I don't understand--since you post sensible stuff (as far
as I recall). Help me out here.

David