- From: Dennis Glatting <dennis.glatting@plaintalk.bellevue.wa.us>
- Date: Fri, 7 Feb 97 09:24:16 -0800
- To: Mark Shuttleworth <marks@thawte.com>
- cc: billo@server.net, ietf-tls@w3.org, ssl-talk@netscape.com
> > TLS requires a CA, unless one of the proposed shared key > > mechanisms are adopted. There is not a global CA > > infrastructure, more or less a US infrastructure. Worse, in > > the US there is the real possibility of escrow. Associated with > > Begging your pardon, but Thawte's strategy is entirely > global. Also, because we are based outside the US, the only way > we would consider escrow is if the US government explicitly > banned the use of non-escrow keys within the US - an unlikely > proposition. > If Thawte can establish a global presence, comply with international and domestic law, assure the authenticity of every source (implying possible legal liabilities), assure the redundancy, reachability, and integrity of each of their CAs (implying liabilities again), and interoperate with existing CAs (such as AT&T), then they will offer a great service. However, if they cannot then the service is of marginal value and no different than the patchwork of CAs operating today. > > most CAs is a financial transaction. Though traditional use of > > security (in particular, cryptography) has often been > > labeled as "not for free", requiring investment in a CA or > > purchase of a CERT gives the term new meaning. > > As soon as it's possible to conduct quality checks free, there > will be quality free certs. Certification should not be an > expensive thing at all. We don't think so. > I haven't read anything on the subject in a while but in the US there was a proposal to have the US Postal Service offer CA services and issue CERTs based on the presentation of US accepted identification. I do not recall if the proposal included a fee for CERT issuance. I also am suspect on the "US accepted identification" part. If I remember correctly the identification was a valid US driver license. Ha! The issuance of a CERT must be based on strong verification of who it is issued against. Without strong verification the authenticity of any CERT is suspect. Verification offers interesting challenges not only in the US but around the globe. -dpg
Received on Friday, 7 February 1997 12:24:39 UTC