Novel new use of PGP keysigning sessions
Ian BROWN
I.Brown at cs.ucl.ac.uk
Mon, 14 May 2001 15:31:15 +0100
>Suppose my bank uses a PKI to authenticate and secure my electronic
>transactions with it. Fine. I would expect it to accept my key if it is
>first certificated by one of its own officers authorised to do that or from
>a known corresponding organisation. I could be quite upset if it were to
>accept my key signed by M.Mouse etc.
One of the central misunderstandings behind PKIs is that any organisation that
gave the matter a moment's thought would want to use a third-party certificate
to authenticate their customers.
If identification of
individuals is important (such as in banking due to money laundering
regulations) the bank will not rely on authentication by a body with such a
long disclaimer of liabilities as VeriSign -- they will want to use a
real-world relationship they already have with a customer. If identification
of the customer (rather than *authorisation of payment*) is not important, as
in 95% of e-commerce, why should they turn away potential customers simply
because they haven't paid a $20 VeriSign tax?