[10914] in cryptography@c2.net mail archive
Re: RSA getting rid of trusted third parties?
daemon@ATHENA.MIT.EDU (Ian Clelland)
Fri Jun 21 18:08:10 2002
Date: Fri, 21 Jun 2002 14:30:51 -0700
From: Ian Clelland <ian@veryfresh.com>
To: Greg Rose <ggr@qualcomm.com>
Cc: cryptography@wasabisystems.com
Mail-Followup-To: Greg Rose <ggr@qualcomm.com>,
cryptography@wasabisystems.com
In-Reply-To: <5.1.0.14.2.20020622064831.04777a50@203.30.171.11>
On Sat, Jun 22, 2002 at 06:50:58AM +1000, Greg Rose wrote:
> a) it isn't clear to me that RSA would have the right to revoke the
> organisations certificate; maybe they build it into their license agreement.
I hope that they would reserve the right to revoke the certificate
before it expires. There has to be a way for RSA to say that 'we no
longer trust the entity posessing this certificate'. Even if a company
has paid for the certificate, it should still be revocable in the event
of breach of contract, or loss/theft of the certificate.
> b) browsers *don't check* the revocation status on certificates, and the
> field that points to the server for the revocation list is almost never
> filled in anyway.
That's a good point, but I think it's more of an argument that the
browser-certificate model was already broken, not that this new service
suddenly changes anything.
Ian Clelland
<ian@veryfresh.com>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
