Re: Options, was Re: To Be, or NR To Be ...

[Alfred Arsenault <awa1@xxxxxxxx>]

Ed,

	Please accept my apologies if your feelings were hurt, but quite
frankly I'm getting really tired of your continual twisting of my (and
other people's words) to support whatever mindgame you have going on at
the moment.

  	Now, on to the matter at hand:

	Do we have a different definition of "verifiable"?

	My dictionary provides as one definition of "verify" :  "to determine
or test the truth or accuracy of, as by comparison or investigation".  

	Thus, my definition of "verifiable" is that I can look at something
(test it, investigate it,...), and determine whether it is valid (true)
or not valid (false).

	If you give me a signed certificate, and I want to determine if it is
valid for my purposes as a relying party, I can get one of three
results:
	- yes, the certificate is valid;
	- no, the certificate is invalid (for whatever reason, such as it
expired, has been revoked, contains the wrong subject DN, etc.)
	- I don't know; there's not enough information (because I can't trace
back to a trust anchor, or I can't get the necessary CRL/OCSP response,
etc.)

	The existence of the "I don't know" answer means that a signed
certificate of and by itself cannot necessarly be verified (that is, I
can't always determine with certainty whether it's "true" or "false"),
and thus it is not "verifiable".

	The only thing you can test for certain about a signed certificate is
that the signature checks; i.e., the bits in the certificate, to the
degree of uncertainty inherent in public-key cryptography, are those
that went into the creation of the certificate.  If this is what you
mean by "verifiable", then yes, you're right, but that's IMNSHO a pretty
useless definition, because it reduces to "a certificate is signed IF
the certificate is signed".

	Now, if you have another definition of "verifiable", let's hear it.

			Al Arsenault

-- speaking only for myself, yada, yada, yada

Ed Gerck wrote:
> 
> Alfred Arsenaul wrote:
> 
> >Ed Gerck wrote:
> >>
> >>
> >>
> >>
> >> First, of course, a necessary and sufficient condition for a certificate to be
> >> verifiable is for it to be digitally signed.  So, I guess this much is OK and
> >> equivalent: "certificate is signed" <--> "certificate is verifiable".  A certificate
> >> is verifiable if and only if it is signed -- the "if" is a sufficient condition and
> >> the "only if" a necessary condition.
> >>
> >
> >AWA:  Bzzt!  Sorry, that is not correct, but thank you for playing
> >anyway.
> 
> Alfred:
> 
> I regret the nonsense you wrote above -- but I find it nonetheless fitting to
> this discussion.
> 
> >The fact that is certificate is signed does NOT make it verifiable.
> 
> Yes it does, as verifiable as the signature allows it.  If a certificate
> IS signed THEN I affirm that this is equivalent to saying that the
> certificate is verifiable -- where, of course, "is verifiable" means that
> it CAN be verified.  And, of course, the fact that it CAN be verified
> does not mean that it MUST be verified.  Of course, it also depends
> if the available public-keys match the signature (maybe not, and maybe
> you need more keys), if the public-key that matches has not been
> revoked, etc.  But, nonetheless the certificate is verifiable and the
> result is either YES or NO -- if the certificate is signed.
> 
> You are makling a simple confusion in logic and I suggest you re-read
> my message. It might be much more instructive than if I would try to
> explain it again.
> 
> And, please, next time you don't understand something, just please say what
> you don't understand.  There is no need to continue the tone I see in your
> message and which I surely expect you to recall in the name of civil discourse.
> 
> Cheers,
> 
> Ed Gerck