From: Phil Karlton <karlton@netscape.com>
Date: Fri, 6 Oct 95 18:19:33 PDT
To: cypherpunks@toad.com
Subject: Re: Certificates, Attributes, Web of Trust
In-Reply-To: <3074DAAB.3D62@netscape.com>
Message-ID: <3075D5AD.76CC@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain


Wei Dai wrote:
> >   If you take a look at verisign's home page, they will be offering
> > "low assurance" certificates for free for non-commercial uses.  The
> > only thing they will guarantee about these certs is that the subject
> > name in the certificate is unique across all certificates signed
> > by their class I CA.  You should be able to get one of these
> > certs in real time via an HTML form.
> 
> What is the point of this?  What is to prevent someone from
> getting certificates for a million of the most common and/or famous names
> as quickly as possible?

Here is a scenario under which it would have a point. This is not totally
secure, but that does not make it useless.

1) Register e-mail addresses.

2) Send the resulting signed certificates back to the registered
   subject name.

3) After you get your signed certificate, mail it to your friend. Now
   your friend can send you signed or encrypted messages.

4) If you ever get a certificate in e-mail from somebody, feel free
   to use the telephone to verify that it is coming from somebody
   you trust.

Remember, the service is free. In this case, I think you will be
getting more than you paid for.

PK
--
Philip L. Karlton			karlton@netscape.com
Principal Curmudgeon			http://www.netscape.com/people/karlton
Netscape Communications Corporation