Re: DSAKeyValue text - inferring trust from just a PK from Amir Herzberg on 2001-06-08 (w3c-ietf-xmldsig@w3.org from April to June 2001)

From: Amir Herzberg <amir@newgenpay.com>
Date: Fri, 8 Jun 2001 17:02:33 +0200
To: "Daniel Ash" <Daniel.Ash@identrus.com>, <w3c-ietf-xmldsig@w3.org>
Message-ID: <000b01c0f02c$0c85daa0$323cfea9@newgenpay>

RE: DSAKeyValue text - inferring trust from just a PKOops, Daniel is right, I slipped and said... 

> looking up the cert in a trusted public database 

where of course the public trusted DB does not necessarily have to keep a PK cert, it is sufficient for it to keep a mapping between the Public Keys and the relevant properties (possibly identifications/names, possibly other properties). 

Plus, of course, when I refer ot a public key certificate, it also is not necessarily a signature over one public key and an identifier... any signature that contains one or more public key and properties of them is a public key certificate from my point of view.

BTW, I lost track of how this discussion is relevant to DSIG.

Best Regards, 

Amir Herzberg
CTO, NewGenPay
www.NewGenPay.com/Amir/Herzberg.htm
  ----- Original Message ----- 
  From: Daniel Ash 
  To: 'Amir Herzberg' ; w3c-ietf-xmldsig@w3.org 
  Sent: Friday, June 08, 2001 4:36 PM
  Subject: RE: DSAKeyValue text - inferring trust from just a PK


  XKMS, a protocol for XML-based key management, does not imply the need for certificates to be used to establish trust.  In fact, when provided as a third party service, trust could be achieved in many ways... beermat or cert.  Only a name is required to be associated with a key, and without a binding.  The third party trust service provides the binding and the trust.  

  Since XML-based key management is being considered as a project for W3C, this notion seems to have merit. 



  Dan Ash, 
  Identrus LLC  

  > -----Original Message----- 
  > From: Amir Herzberg [mailto:amir@newgenpay.com] 
  > Sent: Friday, June 08, 2001 10:16 AM 
  > To: w3c-ietf-xmldsig@w3.org 
  > Subject: Re: DSAKeyValue text - inferring trust from just a PK 
  > 
  > 
  > Merlin said, 
  > > If I write my public key (or its fingerprint) down on a beermat 
  > > and you receive a document that contains that key (and was signed 
  > > by the corresponding private key) then, subject to our trust 
  > > relationship and the quantity of beer, you may be able to infer 
  > > that I signed the document. Or, you can use the key fingerprint 
  > > to look up a cert in a database. Beer or certs, your choice. 
  > 
  > This mechanism is certainly sufficient for document 
  > authentication (for 
  > which it is also sufficient to write down an appropriate 
  > crypto hash of the 
  > document itself on the beermat). 
  > 
  > However, it is not sufficient for non-repudiation, unless 
  > indeed looking up 
  > the cert in a trusted public database (or having also a certificate). 
  > Namely, if all you have is the beermat containing the key and 
  > the document, 
  > you certainly can't prove that it was signed by the 
  > individual who handed 
  > you the beermat (unless maybe using his fingermark on the 
  > beermat? now that 
  > may work...). 
  > 
  > Best Regards, 
  > 
  > Amir Herzberg 
  > CTO, NewGenPay 
  > www.NewGenPay.com/Amir/Herzberg.htm 
  > 
  >

Received on Friday, 8 June 2001 10:58:13 UTC