Keith Moore wrote:
> > A PKI modeled on the DNS would parallel
> > the existing hierarchy and merely codify the relationships expressed
> > by it in the form of public key certs.
>
> so what you're saying is that the cert would mean something like:
;-) actually, to a lawyer, a PKI cert says something like:
"By issuing this certificate We state in accordance with the rules which We
make and vary as We think fit for that purpose from time to time without
accepting any obligation to any other person (including any Internet
standardization entity) for the effect or consequences of Our choice of
those rules or of Our variation of them, hereafter called "CPS," that:
1. The text string herein designated 'name' contains the string received by Us
from a person, entity or machine, hereafter called entity, claiming it as that
entity's name.
2. We may have taken some measures at some time to receive evidence (which
We may not have preserved and may not be able to produce) of a
connection between the name and the entity from whom it was apparently
received.
3. We have reproduced the string as We believe that We received it, which
We have denoted and formatted as to Our exclusive understanding of it,
of its context and of its validity, as regulated by Our CPS.
4. We may have tested the bit string herein designated 'key' to test whether,
at the date appearing in this certificate, it appears to correspond to a
counterpart apparently available to the entity from whom We apparently
received the name.
5. We are whom We claim to be. This claim can be verified by checking Our
signature on this certificate We supply with a key which We claim to be Our
public key. We do not offer you any grounds for believing that the public
key in question is Our public key or that it has not been revoked before
or after the date of signature of this certificate. The only evidence We
provide of the correctness of the date of signature stated in this certificate is
that it is dated before the date on which you are reading this certificate.
6. We may revoke this certificate at any time without telling you or anyone
else. The fact that you have downloaded this certificate from Our server
does not mean that it has not previously been revoked. The fact that no
revocation for it can be found in Our server does not mean that this
certificate is valid either.
7. You may rely on this certificate only at your own risk, and by so doing
you confirm your acceptance of the conditions subject to which it is issued
as stated in the CPS for the time being in force, which is not to be
construed as any obligation regarding the time this certificate was signed by Us or
used by you. These conditions include terms prohibiting you from claiming
to be inadequately qualified or trained to understand or apply the conditions,
or to have relied upon Us as an expert, or that you were forced to rely on
Us through lack of information with which to verify Our statements, or that
you were forced to rely on Us through lack of choice by any reason such as
the named entity's lack of alternatives for certificates, the browser's lack
of alternatives for embedded root keys, etc.
8. What public-key cryptography has joined, may time and machines not part,
but of such binding We provide no assurance.
In Honor of Our Root-Certificate, which attests to Our faith in the
Root-Key, until We decide to revoke them but maybe not both."
For a user's view, check http://www.mcg.org.br/x509cert.htm
Cheers,
Ed Gerck
>
>
> "we certify that this key was supplied by a party who gave us money
> in exchange for our assigning domain name x.y to it. we have no
> idea who that party really is, whether it is trustworthy, and
> in particular whether that party can be trusted to manage its keys
> in such a way as to make compromise unlikely. for that matter,
> we're not even entirely sure whether the party that gave us money
> for this domain last time it was renewed was the same as the party
> that gave us money for the domain in the past. for that matter,
> we didn't get the money directly from that party, we got it from
> a registrar who you may or may not be able to trust either.
>
> and for that matter, you have no idea whether we are trustworthy.
> we could be making all of this up, and in fact we're so large and
> control the trust relationships to so many domains that there is
> a fair amount of incentive for us to do exactly that under some
> conditions, but we won't tell you want those are but you should
> trust us anyway, because we said so"
>
> Keith