Re: public key vs passwd authentication?

• Previous message: Mark Rafn: "Re: public key vs passwd authentication?"
• In reply to: Anne & Lynn Wheeler: "Re: public key vs passwd authentication?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 02 Oct 2003 13:02:43 -0700

Anne & Lynn Wheeler wrote:

> PKI certificates are there purely as a trust propogation mechanism,
> analogous to letters of credit (from the days of sailing ships);

No, they aren't even remotely analogous. In the case of
a letter of credit, the issuing bank has a liability. The
"included by reference" CPAs in most certs that are "trusted"
(because trusted signers are embedded in your browser/MUA/etc.)
deny any liability, etc.

Even if we accept that due care was taken in the binding of
a subject id to a public key, and the extensions baked into the
cert are appropriate, what do we know about the conditions
under which the private key is held? And conferring trust
usually means *authorization* not *authentication*.

Knowing that this really is *my* public key is of limited value in se.

I'm sure you'll respond with something about attribute certs, which
still don't form the basis of a trust management system by themselves.

• Previous message: Mark Rafn: "Re: public key vs passwd authentication?"
• In reply to: Anne & Lynn Wheeler: "Re: public key vs passwd authentication?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]