[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: What is the order of certificates in a certificate chain?

To: ietf-pkix@xxxxxxx
Subject: RE: What is the order of certificates in a certificate chain?
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Fri, 21 Apr 2000 09:20:32 -0400 (EDT)
Reply-to: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>

Hi Peter,

I believe there is an issue of "best commercial practices"
here.  If a building contractor presented a forged paper license
or misappropriated the identity of a legitimately licensed
contractor, I'm 100% certain that is a misrepresentation of
fact.  If the contractor presented a legitimate license, within
its printed validity interval but which had been suspended/revoked,
a "90% misrepresentation" has occurred.  The homeowner
has a 10% responsibility to check references, the BBB, and the
contractor's professional association, but I suspect a judge
would not penalize the homeowner too severely for not having
done so.

But accepted practice is for police officers to verify the
putative validity of plates and drivers licenses with a radio
call.  And accepted practice for PKIX clients should be to
validate certificates before relying upon them.  If that is
true, there is fault with the CA for misrepresentation, and
fault (at least 50%) with the subscriber for lack of due diligence.
The CA is not blameless, and can be punished (given a black
mark on the compliance audit, or de-certified) by a regulating
body.  But, IMO, the only damages the subscriber suffers is
the fact that subscriber's certificate will not be accepted
by RPs.  The CA is responsible for promises made to deliver
a valid certificate and business lost as a result of failure
to deliver what was promised.  But at the moment of delivery,
(again IMO, IANAL!) the subscriber assumes nearly all the
responsibility for not properly validating the cert as part
of acceptance.

Regards,
Dave


> From: Peter Williams <peterw@valicert.com>
> To: "'David P. Kemp'" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org
> Subject: RE: What is the order of certificates in a certificate chain?
> Date: Thu, 20 Apr 2000 19:57:30 -0700
> 
> Hi David:
> 
> Consider the following reasoning:-
> 
> A CA, in the PKIX model, may be accredited - something
> that is signaled via the issuance of a cross-certificate
> or similar.
> 
> If a (trusted) CA quotes such a cross-certificate during
> certificate application procedures, it is
> essentially representing the validity of the underlying
> accreditation. A CA which quoted a revoked
> accreditation cross-certificate would
> be likely acting in a manner which is a mis-representation
> of fact, surely.
> 
> If a building contractor came to your house,
> presented an official and legally-recognised
> paper license to do electrical work, and you subsequently 
> determine that the license had been revoked in
> the license registry prior to presentation of the
> paper during contract negotiation, would you not feel a 
> simple mis-representation had occured?
> 
> Could a regulator not punish that contractor for
> not suspending licensed work - and/or falsely
> imputing a licensed standing?
> 
> I would think that a best practices Internet CA has 
> a simple professional if not a legal duty to ensure that
> it does not provide false information to a subscriber 
> during CMP; especially information that might prejudice 
> the determination of that subscriber when establishing 
> the initial accuracy of a certificate that will bind 
> him/her at NR grade of proof - following formal 
> acceptance of that certificate.

Prev by Date: Re: Missing Protocol ?
Next by Date: RE: What is the order of certificates in a certificate chain?
Previous by thread: RE: What is the order of certificates in a certificate chain?
Next by thread: RE: What is the order of certificates in a certificate chain?
Index(es):
- Date
- Thread