AW: Robot CA at toehold.com

Huels, Ralf SCORE Ralf.Huels@schufa.de
Fri Dec 6 07:55:02 2002


David Shaw writes:
> Mind you, I'm not saying that this isn't a good enough reason to do
> it.  I just don't want the impression going around that email
> verification is somehow "secure", and the best way to do that is to
> lay out in clear terms exactly what this is good for.
> 
> You're not saying this is secure, and in fact saying the opposite,
> which is admirable.  Many people won't understand that, unfortunately.

I agree. The documentation on the CA's web page (if not in the
key UID comments) should state much more explicitly, how weak this
type of certification is and that there is no proof of any connection
between a *person* and the key at all, just between the key and
*someone* who effectively controls the mail address (including,
for instance, the purported owner's postmaster). 

Hit them over the head with that information. 

Tschuess,
Ralf