[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: relying-party contract
On Wed, 4 Jun 1997, C. Bradford Biddle wrote:
>
> Digital signatures, supported by
> a "public key infrastructure" of certification authorities (CAs)
> and certificate databases, can solve this authentication
> problem.
This is a common misconception. As explained in the paper
"Overview of Certification Systems: X.509, CA, PGP and SKIP", In MCG Web
Page, http://novaware.cps.softex.br/mcg/cert.htm, April, 1997.
the notion that a CA adds trust or that it will magically infuse
"correctness" in otherwise unendorsed information is simply not
true on several counts. Actually it adds a channel of "implicit spoofing"
by giving the user a sense of security that is simply not there. Also, the
UCC says that CAs are liable only for "methods" -- not for "results". But,
the information in a "certificate" is a result ... sigh!
And, to the CA's defense defense it must be said that they are not
hidding -- it is simply not possible to guarantee results with a system
that depends on trust because a trust system is never 100% right and can
be 100% wrong. That's life.
Solution? Yes, change the model.
> Ultimately this article argues that digital signature laws which
> impose a particular view of electronic commerce should be
> abandoned.
Agreed 100%. Anyway, they are not technically correct either.
> Laws which remove specific, well-defined barriers
> to electronic commerce -- such as unnecessary "writing" or
> handwritten signature requirements -- and which allow the
> electronic commerce marketplace to evolve unfettered should
> be encouraged.
Agreed with great care. Current certificate technology cannot guarantee
that the certified entity is not anonymous, dealing under a pseudonym.
Yours,
Ed Gerck
__________________________________________________________________________
Dr.rer.nat. E. Gerck Phone/Fax: +55-19-2429533
egerck@laser.cps.softex.br http://novaware.cps.softex.br
P. O. Box 1201 - CEP 13001-970 - Campinas - SP - Brazil