playing with cryptography...
Mark H. Wood
mwood at IUPUI.Edu
Thu May 22 20:37:28 CEST 2008
On Sat, May 03, 2008 at 04:43:28PM -0400, John W. Moore III wrote:
> reynt0 wrote:
> > A few minor, picky points, FWIW:
> > 2. Is it "certain" that "Thawte has confirmed", or is it
> > *claimed* that Thawte has confirmed?
>
> They 'Ping' the Email Address to confirm control of it.
Aw, how hard is it to go to www.thawte.com, look for the seal, and see
that an independent auditor (apparently KPMG) has examined their
practices and given an opinion on whether they follow their own
policies and procedures (which should be published, so you can inspect
them)? If you think the seal is faked, ask the auditors.
> > 3. Of course, Thawte's confirmation process is however
> > trustworthy or not as it may be, which has to be evaluated.
>
> Which is why the level of Trust in any Certificate may be Edited by the
> End User.
Which evaluation is what Certification Practice Statements are for.
The CA's CPS should be one of the inputs to the audit.
This stuff all works. It just works differently.
--
Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: </pipermail/attachments/20080522/aa082c72/attachment-0001.pgp>
More information about the Gnupg-users
mailing list