From: timd@consensus.com (Tim Dierks)
To: “E. ALLEN SMITH” <EALLENSMITH@ocelot.Rutgers.EDU>
Message Hash: f2a562ecb7b3dac3ac4e6ea8f86509f76810dd28f79e88c5b273e5d2a38cb3d7
Message ID: <v02140b03adb92b2dbc65@[205.149.165.24]>
Reply To: N/A
UTC Datetime: 1996-05-11 02:39:10 UTC
Raw Date: Sat, 11 May 1996 10:39:10 +0800
From: timd@consensus.com (Tim Dierks)
Date: Sat, 11 May 1996 10:39:10 +0800
To: "E. ALLEN SMITH" <EALLENSMITH@ocelot.Rutgers.EDU>
Subject: Re: PGP, Inc.
Message-ID: <v02140b03adb92b2dbc65@[205.149.165.24]>
MIME-Version: 1.0
Content-Type: text/plain
At 11:10 PM 5/9/96, E. ALLEN SMITH wrote:
>From: IN%"shamrock@netcom.com" 9-MAY-1996 23:02:01.67
>
>>At 19:37 5/9/96, E. ALLEN SMITH wrote:
>>> I can see some fascinating legal questions with what, exactly, a
>>>VeriSign certificate obligates the company for. Digital signature laws should
>>>get interesting - any application of this to the Utah one?
>
>>VeriSign is going to offer four levels of certs. The first requires only
>>uniqueness. For the other three levels, VeriSign will require more and
>>better assurances of the correctness of True Name stated on the cert. I
>>don't know what form these assurances are supposed to take.
>
> The first level, in other words, is less of a certification than a PGP
>key with self-signature and signature from one other person. It doesn't have
>_any_ effort to verify that the email address stated on it is the actual email
>address of that nym. Or am I misinterpreting you?
The only effort they make is that when using the email-based CA, it mails
the certificate to the address within, so it's not trivial to get a cert
for an address that you don't have access to. (I'm not saying it's
impossible, or even hard, just that it requires some skill and effort).
- Tim
Tim Dierks -- timd@consensus.com -- www.consensus.com
Head of Thing-u-ma-jig Engineering, Consensus Development
Return to May 1996
Return to “timd@consensus.com (Tim Dierks)”