[OT] CAs: A Story

L. Sassaman rabbi@quickie.net
Tue, 25 Jan 2000 16:56:32 -0500 (EST) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No, Thawte doesn't sign the real user id. It seems for some reason that
they haven't figured out that that is the simplest and best way of doing
this....

<shameless plug>
FreeCert will sign PGPs correctly. For more info, go to www.freecert.org.
</shameless plug>

And if the user wants to use that ID, he needs to self-sign it. First he
needs to import it to his keyring, by turning on the option

allow-non-selfsigned-uid

And then editing the key and signing it.

Don't ask me why Thawte does it this way. I think they are confused.

I also asked a while back about the possibility of having two different
signing keys, one for the regular Freemail members (for whom there is no
real authentication done) and a separate one for the people who have
obtained 50 or more points in the Thawte WOT (who are very likely who they
say they are.)

I can not trust Thawte as an introducer for the mere freemail members, but
I would for the people who have had their IDs assertained in the WOT. But
until they use separate keys, Thawte's sigs are pointless.

I am quite willing to talk to the programmers at Thawte if they would like
to discuss the security concerns about using multiple keys, and signing
the user's real user-id. I give kudos to Thawte for supporting PGP, but it
seems they need to understand a little bit more about the signing process.


- --Len.

On Sun, 23 Jan 2000, Werner Koch wrote:


> On Sun, 23 Jan 2000, J Horacio MG wrote:

> 

> > " The "Thawte Freemail Member" identity does not alter or change your key

> > " in any way. It is just another identity certificate associated with the

> > " key. People who do not trust Thawte will not see that as a valid

> > " identity.

> 

> GnuPG simply does not except this new user ID because it is not signed

> by the primary key and simply kicks it out due to a missing

> self-signature.  It doesn't matter that Thawte signs this user ID

> because it is not considered a valid signature.

> 

> IMHO Verisign (Thawte) simply does this as an advertisment; as long as

> they do sign the realy user ID too there should be no problem.  But I

> do not think that this is serious way to operate a CA.

> 

> > key through "signing and sending back to Thawte a small hexadecimal

> > string generated during the certification process".

> 

> No, his secret key has not been compromised.

> 

> 

> -- 

> Werner Koch at guug.de           www.gnupg.org           keyid 621CC013

>   

>      Boycott Amazon!  -  http://www.gnu.org/philosophy/amazon.html

> 

> 


__

L. Sassaman

System Administrator                |  "I've done my sentence
Technology Consultant               |   But committed no crime..."
icq.. 10735603                      |   
pgp.. finger://ns.quickie.net/rabbi |    --Freddie Mercury, Queen







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: OpenPGP Encrypted Email Preferred.

iD8DBQE4jhwWPYrxsgmsCmoRApmgAJ9c6gr9ITMg/MMzR02pi2bDUvfpHgCfdFWP
cBQVnJ8DvcDgXmFymumCtME=
=1V1y
-----END PGP SIGNATURE-----