Full Disclosure mailing list archives
Re: PGP vs. certificate from Verisign
From: yossarian <yossarian () planet nl>
Date: Sat, 10 May 2003 23:15:51 +0200
From: "Jason" <security () brvenik com> To: "Steve Poirot" <poirotsj () gci net> Cc: <full-disclosure () lists netsys com> Sent: Saturday, May 10, 2003 10:15 PM Subject: Re: [Full-disclosure] PGP vs. certificate from Verisign
Steve Poirot wrote:I'm 98% sure that the key pair is generated on the client machine and that just the public key is transmitted to the CA. The reason I say 98% instead of 100% is that it's possible that a CA just makes it look like that's what's happening. This could be verified by sniffing the
session.
Steve Poirot
Jason wrote:
In the case of an implementation faulire you would have to verify this... which is what you should _always_ do with _proper_ certificates since they can be legally binding. I know this to be the case in the US and Europe at least.
Which is another reason to stay far away from verisign certificates - the legal issues surrounding it. If you lose your PGP private key - who cares - just like with your passport: get a new one, pay a fine, duh. But if your verisign private key gets nicked and you do not notice it - you have lost your digital identity - but be legally responsible for whatever someone else chooses to do with it - the non-repudiation fraud. And like I said in another posting in this discussion recently, even if you do notice it - and what not too paranoid user would? - how to disable it by lack of CDP's? Just for those interested - read the Verisign CPS and compare it to any banks regulation for credit cards or bankcards - then make a risk analysis: what are the benefits of having a digital identity and what are the risks to your person - in the US and Europe at least. Then bring in how likely and feasible identity theft is into the equation, now and in the near future. Will you let your identity and all that comes with it depend on a number of bytes on your hard disk, a smartcard or whatever, just so you can buy 'content' online? Or to be able to e-mail 'secure' with someone you have never met? For all the other things you can do with a digital signature all you get is convenience - e-government, buying houses online, whatever - all you might gain is a way of doing it from your computer. It never stops to amaze me how many 'true believers in PKI' still exist. The hype is over. It does not work. If you think you need asymmetric encryption for your email: use a PGP flavor. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: PGP vs. certificate from Verisign, (continued)
- Re: PGP vs. certificate from Verisign Valdis . Kletnieks (May 09)
- Re: PGP vs. certificate from Verisign Shawn McMahon (May 09)
- Re: PGP vs. certificate from Verisign Scott M. Algatt (May 09)
- Re: PGP vs. certificate from Verisign Anne Carasik (May 09)
- Re: PGP vs. certificate from Verisign Georgi Guninski (May 10)
- RE: PGP vs. certificate from Verisign Kamal Habayeb (May 10)
- Re: PGP vs. certificate from Verisign Steve Poirot (May 10)
- Re: PGP vs. certificate from Verisign Derek Atkins (May 10)
- Re: PGP vs. certificate from Verisign Ben Laurie (May 10)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 10)
- [OFFTOPIC] PGP vs. certificate from Verisign Kurt Seifried (May 10)
- Re: [OFFTOPIC] PGP vs. certificate from Verisign yossarian (May 10)
- Re: PGP vs. certificate from Verisign Valdis . Kletnieks (May 09)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign Georgi Guninski (May 11)
- Re: PGP vs. certificate from Verisign yossarian (May 09)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 10)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 10)