Signs keys for people you don't LIKE? I give (well sell) certs to plenty of people I don't LIKE. That is not the issue, the issue is whether the authentication proceedure is being applied as stated in the CPS or not. If a bogus certificate is issued and the CA refuses to revoke it then you have a big problem. In your scenario what happens if you find out that Ted Tso or Jeff Schiller has signed a bogus key. Do you then revoke every key they ever issued on that account? Please remember here that we are trying to solve the spam problem here. The guys sending the stuff are organized criminals. It is bad if even one criminal spam gets through. But it is also bad if you can't use email unless you go pay $10,000 to some email good practice accreditation agency (yes thay is what they charge). So yes we can use certificates to address the spam problem, but don't expect the criteria to be set at military security levels. Most people simply won't pay for that. Phill > -----Original Message----- > From: Pete Resnick [mailto:presnick@qualcomm.com] > Sent: Friday, June 06, 2003 12:10 PM > To: Hallam-Baker, Phillip > Cc: 'ietf@ietf.org' > Subject: RE: Certificate / CPS issues > > > On 6/6/03 at 7:41 AM -0700, Phillip Hallam-Baker wrote: > > >Do you think that folk signing PGP keys are undertaking unlimited > >liability should the certification turn out to be incorrect? > > No, but if Mary turns out to be someone who signs PGP keys for people > I don't like, I can simply say "Don't trust Mary" in my PGP > application and the things she signs won't show up as valid unless > someone I do trust signs them. If RSA screws up and signs keys for > people I don't like, I can't (practically) say "Don't trust RSA" > without invalidating a bunch of keys that I probably do want to trust. > > I'm not by any means saying that PGP is a perfect solution. It's just > that the liability scenario is very different because amount of > damage any given signer can do is much different. > > pr > -- > Pete Resnick <mailto:presnick@qualcomm.com> > QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: > (858)651-1102 >