Policy-Discussion

[Ian Grigg <iang AT systemics.com>]

On Friday 29 July 2005 13:10, Philipp Gühring wrote:
> > And therefore, we do not guarantee that we've
> > proven the identity of anyone, because such is
> > an impossible statement?
> 
> We have not proven the identity, we have verified it.
> 
> > The reason for this tortuous introspection is that
> > it then clears the way for establishing different levels
> > of surety or risk.  Without that we are stuck with the
> > myth of all CAs being equal, and all certs being
> > equal, and every day being Christmas.
> 
> I don´t see the association here.

OK.  There is a big problem with the way the SSL / CA /
PKI system works.  It is assumed that all certs are good,
if they are chained up to the browser roots.  As the
browser do not properly identify the CAs, or the types
of certs, this it is more or less forced on the users that
all CAs and all certs are the same.

Yet, not all CAs are the same, not all certs from the
same CA are the same, and etc etc.  Specifically, it
is possible to get a heavily verified identity cert from
one CA and a stolen credit card cert from another CA,
and they both act the same as far as the browsers are
concerned.

This is a bug in browsers' implementations of the system,
and will one day be rectified.  In the meantime, what you
are suggesting above is adding more spice to the mix,
in that the verification of someone's identity might be
done "strongly" in say Austria and "mildly" in say UK.

Which leads to the question of how to show this in the
certs - is this covered by the number of points that a
person has?

iang
-- 
Advances in Financial Cryptography, Issue 2:
   https://www.financialcryptography.com/mt/archives/000498.html
Mark Stiegler, An Introduction to Petname Systems
Nick Szabo, Scarce Objects
Ian Grigg, Triple Entry Accounting