Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin

[Valdis.Kletnieks () vt edu]

On Wed, 29 Oct 2003 18:55:16 EST, George Capehart <capegeo () opengroup org>  said:
> This is why the CA's Certification Practice Statement (CPS) is so 
> important . . . and why, if one is going to accept a certificate, they 
> *really* should read the CPS and understand exactly what process the CA 
> went through to determine the authenticity of the DN.  *Then* you 
> should read the audit reports to see if the CA is really following the 
> CPS.  If that information is not available publicly available, he/she 
> who accepts those certs deserves what he/she gets.

As a practical matter, there's "certs signed by our internal CA" and "certs
signed by any other CA".  "any other CA"s certs are for the most part useless
as anything other than a glorified MIC (Message Integrity Check) - if the data
is properly signed by the cert and the cert's signed by the CA, the data hasn't
been diddled since signing.

The distinction for *my* CA is that I know what their CPS is, I know what their
audit is, *and* I have a good guess of how they do things when auditors aren't
looking (if you think these departments can't *smell* an auditor coming, you
haven't been around long enough).

Oh, and there's one other major benefit.  When Verisign bobbled that bogus
Microsoft cert, there weren't any major repercussions for Verisign.  On the
other hand, the cert gnomes upstairs from my office know *very* well that if
they screw up a cert in a way that affects me, I *will* be up there creating
real repercussions for them... :)

Attachment: _bin
Description: