S/MIME keys (was: What Are Some Good Projects For Novices?)

[Paul Rubin]

"Steve Holden" <sholden at holdenweb.com> writes:
> Although it has been shown that the commercial agencies can be subverted
> (most recently in the Microsoft case that you talk about), in return for the
> payment many of them will actually indemnify you against losses you incur.
> The larger the payment the greater the indemnity. Of course, none of them
> indemnify their free certificates, which seems reasonable.

Actually, some CA's indemnify certificate holders, but I don't know of
any that indemnify relying parties (people who trust the certificates).

> Utlimately you have to trust *someone*. PGP's ideas in a distributed web of
> trust were interesting, but unfortunately there weren't enough PGP users for
> indivduals unknown to each other to be able to acquire mutual trust, so the
> scheme has pretty much foundered. It would be nice if someone would start a
> free "open CA", but sadly there is real work involved in verifying
> identities.

Things like this have been tried anyway, e.g. Thawte web of trust.

> Of more concern, of course, is that by default the common browsers don't
> check the CA's revocation list to ensure that an apparently valid
> certificate hasn't been revoked due to some kind of problem (fraudulently
> obtained or issued to wrong party would be the two most common cases). If
> there really were a public key infrastructure this would be practical, and
> Microsoft wouldn't have had to patch their products to avoid them accepting
> the bogus certificates.

The downside of CRL checking is it means every single one of your
secure site visits gets reported to the CA.