From: Jeff Weinstein <jsw@netscape.com>
Date: Fri, 6 Oct 95 00:08:18 PDT
To: cypherpunks@toad.com
Subject: Re: Certificate proposal
In-Reply-To: <9510021553.AA13756@tis.com>
Message-ID: <3074D507.1EE1@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain


Hal wrote:
> 
> tomw@orac.engr.sgi.com (Tom Weinstein) writes:
> 
> >In article <DG06FE.IA8@sgi.sgi.com>, Hal <hfinney@shell.portal.com> writes:
> 
> >> OK, so suppose I want to send my credit card number to Egghead Software.
> >> I get one of these new-fangled certificates from somebody, in which
> >> VeriSign has certified that key 0x12345678 has hash 0x54321.  I think we
> >> can agree that by itself this is not useful.  So, it will also bind in
> >> some attribute.  What will that attribute be?
> 
> >Um, just a wild guess, but... your credit card number maybe?  (Well,
> >okay, its hash.)
> 
> I may not have been clear: the certificate I was referring to was the one
> from Egghead, the one which I will use to make sure that I have a valid
> key for Egghead.  Such a certificate would of course not have my credit
> card number; it would probably have some information related to Egghead.
> My rhetorical point was that information would most plausibly be a NAME
> by which I would refer to Egghead.  I am still trying to understand how
> these proposals to take names out of the picture will apply to a
> commonplace situation like this one.

  I don't think that we need to get rid of names entirely.  It all
depends on the intended use.  In this case it would be reasonable
for the certificate to have the name in it.  It would also probably
be signed by a bank or card association CA, which was set up
specificly to sign merchant certificates.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.