This is also true of drivers licenses, or any other identification. The trust is transitive only to the extent you trust the CERT provider, and to the extent that the CERT holder hasn't had they private key compromised. If the Cert authority can't be trusted, or can be fooled, then all bets are off. The identity requirements for one large, well respected Cert provider, for company certs, is a copy of the articles of incorporation. This, just like birth certificates, can be obtained by anyone who wants to pay the $15 fee. Then there is the issue of sloppyiness with the key, or virus infection, or other ways the private key can be compromised. If the private key is compromised, anyone with the private key can sign mail with your Cert. Partly this is a function of computer hygiene. Not everyone on the planet will be able to maintain this. It is quite easy to steal a password on a shared PC. This isn't hypothetical. I have a customer where the employees don't each have a personal computer. Yet they all send email via a webmail interface. This type of solution isn't going to work, either. It might work for some small groups, but it won't work for everyone, everywhere. --Dean On Thu, 5 Jun 2003, Einar Stefferud wrote: > Wow! What a mighty leap of faith! > > Let me offer a different view... > > Stephen's CERT proves that the sender is a person who got a CERT from > some CERT provider and has a contract with that provider, but has no > contract with Anthony, so that when Steven does something bad to > Anthony, like snd him some spam, and Anthony complains to the CERT > provider, the CERT provider is going to say "You don't have any contract > with us, so we do not owe you anything." > > In fact, Anthony might not even be findable because of his holding a CERT, > because he was able to obtain the CERT with false information. > > So, I have to ask why you trust those CERTS. > > I don't trust em just because they come with a contract that denies all kinds > of liabilities in the reliance on or use of those CERTS. > > The problem is that I do not trust the transitivity of trust as required by PKI. > This is because I have ever seen proof of trust transitivity. > > Show me the proof of it and I will believe it, if your proof stands up! > > Cheers...\Stef > > At 23:08 +0200 6/4/03, Anthony Atkielski wrote: > >Stephen writes: > > > > > Does my signature on this message make you trust > > > it more than, say, the ten ads you got this morning > > > for Viagra? > > > >Yes. > > > > > Why or why not? > > > >It proves who you are, which means that you expose yourself to a certain > >extent in the event that you do anything inappropriate with your e-mail. > >This implies that your intentions are honorable; and even if they are not, > >the signature makes you easier to track down and take action against. So it > >makes one feel a bit warmer and fuzzier. > > > >Content-Type: application/x-pkcs7-signature; > > name="smime.p7s" > >Content-Disposition: attachment; > > filename="smime.p7s" > > > >Attachment converted: Viking5:smime.p7s (????/----) (00097E08) > > >