[Previous] [Next] [Index]
[Thread]
RE: What is "certificate"? (was: what ar
-
To: www-security@ns1.rutgers.edu
-
Subject: RE: What is "certificate"? (was: what ar
-
From: dkearns{TCNET/HR/dkearns}@klaven.tci.com
-
Date: Fri, 7 Oct 94 11:24:00 -0600
-
Organization: Thomas-Conrad Corp
-
Reply-To: dkearns{TCNET/HR/dkearns}@klaven.tci.com
>From: HAPEMAND @ SMTP (Hapeman Dale) {hapemand@asq8.bah.com}
>Date: Friday, October 07, 1994 10:24AM
>
>
>
<Please see Mr. Haperman's original posting for details>
>
>Am having a little trouble with the concept that I would have a certificate
>that "certifies" that I write code without bugs. I am interpreting the
term
>"certificate" the way X.509 defines it.
>
>My X.509 Certificate ties (binds) together:
> my name
> the public key you can use to validate my signatures
>
...
>This verification of signatures on certificates continues until you find a
>certificate that was signed by someone that YOU trust to sign certificates.
> Once you complete this process, you are now happy that the signature on
the
>stuff I sent you was signed by someone with my name.
>
>I repeat: You now know that the stuff you got from me was signed by the
>person named in my certificate. You do not know anything about the
contents
>that I signed (other than the fact that they have not been altered since
the
>time that I signed them). The code I send you could have bugs even if I
>signed a character string that said "This code does not have bugs". The
>existence of my signature does not guarantee this nor does the signature of
>my certificate issuer signify that he "certifies" me to make trusted
>comments about the validity of my code (or my academic achievements).
> Tracing certificate signatures back to a point you trust is a CERTIFICATE
>certification path.
>
...
>In my mind, the CERTIFICATE certification path and the STATEMENT
>certification path are completely different and are made up of different
>people and/or entities.
>
...
>Would I have a different public key signature certificate for every
>statement I wish to make:
>
> - The "I write good code" public key signature certificate issued by
an
>expert,
> - The "I have good credit" public key signature certificate issued by
a
>bank,
> - The "It's OK to let me into your FTP server" public key signature
>certificate issued by the FTP Etiquette Committee?
>
Put much better than I did in my exchange with Nick Szabo.
I'm beginning to envision something akin to a "Better Business Bureau" for
the net.
The certificate verifies the signer is who he says he is, the "BBB" would
have information as to the credibility/trustwortiness/credit-worthiness/etc.
of the signer. "BBB" servers would be a loosly coupled web designed to
collect, replicate and disseminate information based on reports from
clients/customers/etc.
Could possibly be based on the public key of the signer (as unique
identifier), and would return a 'rating' similar to a 'Standard & Poores'
stock/bond rating (AAA, AAB, ABB+, etc.) or a "no information" response.
Your software client could then be configured to query on each certificate
beginning with the one 'closest to the source' (i.e., the programmer in the
above example) then up thru the various wrappers until a (configurable)
specific rating (or better) was returned.
***
In re-reading this, it sounds an awful lot like Credit Bureaus for the net,
which would certainly damn the proposal in many people's minds - but if
structured properly, it could go a long way towards removing much doubt and
uncertainty about spending your hard earned ecoins .....
-dave
+-------------------------------------+
| Dave Kearns
| Manager, Electronic Commerce
| Thomas-Conrad Corp.
| 1908-R Kramer Lane Austin, TX 78758
| (512) 836-1935
| dkearns@klaven.tci.com
| dkearns@tcc [MHS]
| 76704,62 [CompuServe]
| http://www.tci.com/
+-------------------------------------+