Key server security considerations / Certification Authorities

Janusz A. Urbanowicz alex@FUCKUP.fantastyka.net
Wed Feb 28 23:59:15 2001 


> > Thawte Computing (www.thawte.com) used to do this as a part of their

> > Personal Web of Trust Certification System. Allegedly they stopped this

> > service due to compatibility problems (their software choked on pure,

> > GPG-generated OpenPGP keys, for instance), but I'll advise checking.

> 

> IFAIK, Thawte did indeed stop signing  (certifying) keys.  The word on the

> eStreet was that it might have been related to the fact that Thawte was

> acquired by Verisign (www.verisign.com) which charges a non-trivial fee

> for its certification services.  Their price has come down so you may want

> to look there again.


They have stopped certifying PGP but they haven't stopped their Freemail
Certification Service.


> The fact that NOTHING prevents a keyserver from accepting a bogus key is

> the reason why, for instance, Thawte would only identify the certificate

> holder as "Thawte Freemail Member."  Until you show up somewhere in

> person and give evidence that you are "Alex," Janusz A. Urbanowicz, anyone

> would be pretty dumb to post a bond against your e-sig.

> In fact, the probability is fairly high that there is another Janusz A. Urbanowicz

> somewhere on Earth!


There was. He was a Polish guerilla soldier during WWII and was killed on
1.1.1945. This is why I use my middle initial.


> Well, then, a Certificate Authority had best have a picture of you and

> some more information.


They have. To have Thawte Freemail Certificate with your name, you go to a
few (at least two) Thawte Personal Web of Trust Notaries to show them your
ID (and hand them xerocopies of it). They are obliged to testify that you
came in some day and have shown good papers saying who you are. I am Thawte
WOT Notary (my identity was confirmed by Bruce Watermeyer of Thawte, but
anyone can become a Notary).


> Biometrics might help.

> Hey, maybe the day is coming when, to do business on the 'net, you will stick

> your finger up a little hole in the computer where a couple of cells will be

> removed and a DNA analysis run.  Your genome will then be your signature :-)


No it won't. Biometrics data can be stolen. Repeat after me: BIOMETRICS IS
NOT AN UNIVERSAL SOLUTION TO SECURITY PROBLEMS.

Alex
-- 
   *   | Janusz A. "Alex" Urbanowicz,                 |  DSS: 1024/0x21939169
 --+~| |                                              |  D-H: 2048/0xA2E48564
 \_|/  | "The source of all of our problems           ~~~~~~~~~~~~~~~~~~~~~~~
   |   | is that we think that today we won't die."