Re: Common misconceptions, was Re: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to beRE: I-D ACTION :draft-ietf-pkix-scvp-00.txt))

["Anders Rundgren" <anders.rundgren@xxxxxxxxxx>]

Todd,
<snip>
>> Regarding the binding I believe that certificates and CAs make sense if
>the CA
>> can guarantee (with high but not unlimited probability) that an individual
>cannot
>> "borrow" another's identity.  This is certainly feasible, partly by using
>biometrics.
>> And is not terribly expensive either.
>> To nail down an individual's true TRUE identity is NOT a requirement for
>employers, banks
>> etc. as long as you perform according to their rules.  If an RP needs
>stronger proofs of
>> identity this may have to be carried out without the CA.
>
>But Biometrics only addressses the Retail POS style model, becuase once the
>Biometric data is captured, it takes on the same vulnerability as the reast
>of the sata used as the auth enablement.

Hum, I don't really think we are talking about the same thing.  Biometrics in this
context is a tool for a CA to bind a physical person (body) to a certificate.  Could
use fingerprint or DNA fingerprints.  IMO physical person (body) is stronger than
identity as the latter can be forged much easier and is sometimes impossible
to verify (no papers available).

Anders