Novel new use of PGP keysigning sessions

Owen Blacker owen.blacker at wheel.co.uk
Mon, 14 May 2001 18:05:19 +0100 

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicholas Bohm, quoting Owen Lewis:

> > In short, one serious organisation may well opt to accept a form
> > of identity issued by another. In principle an electronic
> > identification is in no way special in this respect.  
> 
> Do current standards (X.509) allow for an address [...] to be
> included in certificates?  
> 
> [deletia]
> 
> This is less of a problem than it seems.  [...]  My bank already
> knows me:  I would expect it to accept my PGP key as mine because I
> first wrote it a letter (which it currently regards as an
> acceptably verifiable procedure) telling it the ID/fingerprint, and
> not because some third party certified it.  

I think that's the crux of the issue.  With the exception of cases
where noone cares *who* I am, as long as they get the money (such as
e-commerce websites), I can't think of anywhere where this would be
an issue without there being some other form of relationship.  If I'm
buying a house (eg), chances are I'm going to have some
communications with the existing owner (even if only indirectly),
simply to see if I like the size of the rooms or the color of the
front door...

Most situations where transactions will occur, people don't care
*who* is buying from *whom*, simply that the money will clear and the
goods (however ethereal they may be) will arrive.  I don't care who
Play247.com are, as long as they send me the DVDs I've paid for. 
They don't care who I am, as long as they get the money for the DVDs
they've mailed out.

Going back to Nicholas's original question, though, ISTR that
Thawte's Web of Trust does allow for proof of identity that could
include an address.  I don't think they use that information, though.
 https://www.thawte.com/certs/personal/wot/procedures.html is the
nearest URI I can find to information on this.

Anyways, time to go home, methinks...  :o)


O x
- -----
Owen Blacker
Senior Software Developer / InfoSec Consultant    Wheel: Clerkenwell
See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys
Sig  0x00036874 | d39f b776 fa20 c125 b0e2  aa6d 555e 4126 0003 6874
- -----
Opinions are mine.  My employer and their clients can get their own!

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
Comment: Due to RIP, pls check for revocation before using this key!

iQA/AwUBOwAP8FVeQSYAA2h0EQINuQCeMajLYq9hk8Yn5vIb2tZtZkxK5UMAnRe0
yRZMCvY2jJxhCGtYTHsYNbcv
=VaMR
-----END PGP SIGNATURE-----

_____________________________________________________________________
This message has been checked for all known viruses by UUNET delivered 
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/