RE: "Onion model" explained from Joseph Hui on 2002-07-12 (www-ws-arch@w3.org from July 2002)

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Thu, 11 Jul 2002 19:06:14 -0700
To: "Pete Wenzel" <pete@seebeyond.com>
Cc: <www-ws-arch@w3.org>
Message-ID: <45258A4365C6B24A9832BFE224837D551D1C9D@SJDCEX01.int.exodus.net>

> From: Pete Wenzel [mailto:pete@seebeyond.com]
> Sent: Thursday, July 11, 2002 5:59 PM
> To: Joseph Hui
> Cc: Christopher B Ferris; Hal Lockhart; www-ws-arch@w3.org
> Subject: Re: "Onion model" explained
> 
> 
> Thus spoke Joseph Hui (Joseph.Hui@exodus.net) on Thu, Jul 11, 
> 2002 at 04:27:32PM -0700:
> > [snip]
> > >> >Presumably she requires some proof of possesion, a certificate
> > >> >alone proves nothing, but this is a side issue.
> > >> 
> > >> A certificate proves nothing?  By certificate I meant a cert 
> > >> that Alice
> > >> deemed trustworthy, say a CA signed cert.  Now, if a CA 
> signed cert,
> > >> which millions of Internet shoppers trust their money to, 
> > >> means nothing
> > >> to you, then I don't think we'll go anywhere on the issue.
> > > 
> > > A certificate alone means nothing, even one that is CA 
> > > signed, absent a CPS.
> > 
> > Well, it means whatever Alice deems trustworthy or otherwise,
> > assuming Alice already practices "safe certs," such as
> > checking the CRL (Cert Revocation List) with due diligence.
> > [snip]
> 
> These are all important considerations for establishing a
> certificate's trustworthiness, but I think you are both still missing
> Hal's "proof of possession" point. 

If there was point there, that wasn't a salient one wrt
the gist in my original (first) response to Hal: authN
alone can suffice in some cases.

> The fact that I can present some
> random certificate to you, even if it passes all validity checks, only
> serves as identification.  My identity is not authenticated (bound to
> the identifiers in the cert) unless I can actively prove to you that I
> am the subject of said cert.  (This by demonstrating that I can sign a
> challenge nonce, verifiable using the cert's public key; or that I can
> decrypt something that you have encrypted with it.)

Again, let me reiterate what I expressed in previous messages of
this thread, it all comes down to Alice's discretion: in what
she trust?  In trust and sec, you get you pay for, but don't
pay for what you don't need.  There're many happy PGP folks
out there.  Not everyone, in fact most e-commerce practitioners
don't, find it necessary to add challenge/response on top of
trusted certs.  (BTW, this has been a well treaded area by
non-repudiation enthusiasts.)  Say, if you buy stuff from an
https website, do you chllenge the sellers?  I bet you don't,
even though it's your money that's at stake. 

Joe Hui
Exodus, a Cable & Wireless service
========================================
> 
> --Pete
> Pete Wenzel <pete@seebeyond.com>
> SeeBeyond
> Standards & Product Strategy
> +1-626-471-6311 (US-Pacific)
>

Received on Thursday, 11 July 2002 22:05:35 UTC