Should I use S/MIME?

JOHN MOORE johnmoore3rd at joimail.com
Mon Nov 8 17:14:06 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simon Josefsson wrote:
| "Mark H. Wood" <mwood at IUPUI.Edu> writes:
|
|
|>On Sat, 6 Nov 2004, Simon Josefsson wrote:
|>[snip]
|>
|>>If someone knows of a public X.509 CA that issue you a certificate if
|>>you prove possession of a private key and an email address, I am
|>>interested and would recommend it to others.  Heck, even one that give
|>>you a certificate and a private key if you prove possession of an
|>>email address would suffice.
|>
|>Whether that is a good idea or not depends on what you (as the sender,
|>*or* as the recipient) want an identity document to mean.  If it's good
|>enough to be able to strongly suggest that the sender of message A and the
|>sender of message B are the same (possibly unknown) person, then these
|>essentially anonymous certificates should suffice.  If, on the other hand,
|>someone wishes to identify the sender of a message with some entity or
|>event outside the realm of e-mail (and there are legitimate reasons to do
|>so) then more investigation is needed to bind the certificate to that
|>other identity.
|
|
| Right, I agree.
|
| However, in the case of CACert, it seems suspect to give out privacy
| critical information to someone you don't have a paper contract with.
| CACert try to suggest that their service provide a strong binding of
| the certificate and the real person, but it really doesn't.  They only
| seem to verify the e-mail <-> certificate binding.  I think it would
| give a better impression of a service to only ask for personal
| information that they actually verify, than to ask for personal
| information just because they think they need it.
|
| Btw, someone suggested www.trustcenter.de as an example of a CA I
| asked for above.  I enrolled for a certificate, they asked me for my
| personal name, e-mail address and gender, and I got a certificate.
| Nice work, even though it could be improved by making the personal
| name and gender optional.  Of course, giving out TLS web server
| certificates for free would also be useful.
|

However it must be pointed out that with CAcert (and Thawte) the only
way to have your Name appear on the Certificate is to physically have
your identity verified by another Member or Members (called Assurers)
who then sign your key vouching for the validity.  The only personal
information they ask/require is some government issued number which you
can produce to an Assurer later to confirm you are the same individual.
~ A simple email address is easy to Spoof!  It's hardly "proof of
identity" and neither CAcert or Thawte truly cares if you "make up" a
number for ID purposes; however, without a way to "prove" that number is
yours you'll never get enough Assurance Points to have your Name placed
upon the certificate.  Think of it as having a Bill of Sale notarized
for future proof that you did sign the contract.

JOHN :)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.92 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBj5tFnCmZhrerneURAum/AKCUYt83RcFzZE8mP19aSVhaxBDifACfayhV
01zKkTGYF6vqTXS5gOLJQM0=
=q0/X
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list