My purpose in signing with a simple certificate (Thawte) is very simple
indeed - anything that is spoofed from me won't have my signature. So whilst
you can't be assured by my signature that the item is from me, you can be
assured by the certificate's absence that the item isn't from me.
Except that so many people got so upset by my certificate that I gave up.
Incidentally, the Thawte certificate is free. PGP used to be but isn't any
more I'm afraid.
John
-----Original Message-----
From: GP-UK [mailto:[log in to unmask]] On Behalf Of Adrian Midgley
Sent: 30 March 2004 19:05
To: [log in to unmask]
Subject: Re: Thawte certificate
On Tuesday 30 March 2004 17:59, someone purporting to be a certificated Paul
Pickering wrote:
> If you are addressing me, it would be nice to be addressed rather than
> being
referenced in third person, or as a criminal.
Sorry, the Nigerian scammer is a criminal of course.
> My wee certificate just gives you the option to trust me. It's your
> choice.
I am who I am, and I have a certificate to prove it - so you know
> who I am too.
But I don't, you see, and the addition of a PKI and a certificate doesn't
really alter that.
The alternatives for providing a secure foundation for an increase in trust
include a centrally managed assertion (Thawte, or an X509 system run by eg
Government as tried and failing in Australia for GPs, or a system of
certificates run by any "central" certificate "authority") and the PGP
solution of a web of trust, where I sign the keys of people who I have
actually ascertained to be reproducibly asserting the identity the key
relates to, and they perhaps, sign mine.
There is a mildly interesting passage on this in the large novel
"Cryptonomicon" which touches on the way in which many people who have hung
around GP-UK will have in their brains some representation of me (and
others)
which allows them to feel quite confident that I am who I am, when they
encounter me in the flesh or elsewhere.
In the North of Oz somewhere there is a cooperative identification system
growing up, set up by GPs, and based upon their knowledge of each other -
and
this is the PGP system rather than the Thawte system.
It is worth thinking hard about what certificates add, because it is often a
great deal less than the people selling them seem to be convinced of.
As I said, what I get from a Thawte certificate is a popup asking me if I
can
certify to my machine that that certificate indicates the identity that it
asserts, and ... I can't.
--
Adrian Midgley (Linux desktop)
GP, Exeter
http://www.defoam.net/
|