RE: DSAKeyValue text - inferring trust from just a PK

XKMS, a protocol for XML-based key management, does not imply the need for
certificates to be used to establish trust.  In fact, when provided as a
third party service, trust could be achieved in many ways... beermat or
cert.  Only a name is required to be associated with a key, and without a
binding.  The third party trust service provides the binding and the trust.


Since XML-based key management is being considered as a project for W3C,
this notion seems to have merit.


Dan Ash,
Identrus LLC  

> -----Original Message-----
> From: Amir Herzberg [mailto:amir@newgenpay.com]
> Sent: Friday, June 08, 2001 10:16 AM
> To: w3c-ietf-xmldsig@w3.org
> Subject: Re: DSAKeyValue text - inferring trust from just a PK
> 
> 
> Merlin said,
> > If I write my public key (or its fingerprint) down on a beermat
> > and you receive a document that contains that key (and was signed
> > by the corresponding private key) then, subject to our trust
> > relationship and the quantity of beer, you may be able to infer
> > that I signed the document. Or, you can use the key fingerprint
> > to look up a cert in a database. Beer or certs, your choice.
> 
> This mechanism is certainly sufficient for document 
> authentication (for
> which it is also sufficient to write down an appropriate 
> crypto hash of the
> document itself on the beermat).
> 
> However, it is not sufficient for non-repudiation, unless 
> indeed looking up
> the cert in a trusted public database (or having also a certificate).
> Namely, if all you have is the beermat containing the key and 
> the document,
> you certainly can't prove that it was signed by the 
> individual who handed
> you the beermat (unless maybe using his fingermark on the 
> beermat? now that
> may work...).
> 
> Best Regards,
> 
> Amir Herzberg
> CTO, NewGenPay
> www.NewGenPay.com/Amir/Herzberg.htm
> 
>