Re: Certificate trust
From: Lars Olaussen (Isolauss_at_hotmail.com)
Date: 09/13/04
- Previous message: Param: "Signature Verification"
- In reply to: Craig: "Certificate trust"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 13 Sep 2004 15:03:12 +0200
"Craig" wrote...
>
> What about trusting the user? Is there anything
> that indicates whether the user is trustworthy
> to do business with?
Craig,
As you mentioned, the CA (or RA) performs (hopefully) the initial
authentication of the user according to the Certificate Policy and
Certification Practice Statement. So, if you trust the CA, you could
also trust the identity of the user.
Authentication is what most PKIs only provide. You would have to
implement other systems to check the background of users you want to do
business with.
Some PKIs provide limited liability for losses caused by the use of a
digital certificate, but your case would probably not be covered by
this. An example of liability provided here:
https://www.verisign.com/repository/rpa.html
See section 12. The classes defines the trust you should put into the
identification of the certificate subject.
Note that VeriSign have already issued some certificates to people who
were not who they claimed to be, so trusting them to perform an accurate
authentication would be up to you.
Regards,
Lars Olaussen
Isolauss@hotmail.com
- Previous message: Param: "Signature Verification"
- In reply to: Craig: "Certificate trust"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
