[3005] in cryptography@c2.net mail archive
Re: Pseudonymous S/MIME certs?
daemon@ATHENA.MIT.EDU (Enzo Michelangeli)
Mon Jul 20 12:03:00 1998
From: "Enzo Michelangeli" <em@who.net>
To: <cryptography@c2.net>
Date: Mon, 20 Jul 1998 23:45:55 +0800
-----Original Message-----
From: Ben Laurie <ben@algroup.co.uk>
Date: Monday, July 20, 1998 11:35 PM
>Enzo Michelangeli wrote:
>>
>> By the way: are there technical or legal issues preventing someone from
>> using a personal certificate, issued by Verisign or equivalent, to
initiate
>> a certification chain useable by third parties? The advantage, of course,
>> would be the inheritance of the trust when the message is received by
>> popular agents which come with the public keys of those CA's built-in
(like
>> Messenger or Outlook Express).
>
>I think there are legal and common sense issues and possibly technical
>ones, too:
>
>Technical: I don't know whether enough products actually support cert
>chains (admittedly I've never tested it, but since they are almost never
>used in real life, I rather doubt anyone else has either).
The S/MIME protocol explicitly supports them. That's why S/MIME messages are
so embarrassingly large: they carry the cert chain baggage.
>Legal: seems to me this would not be a permitted use of an ordinary
>cert.
Yup, this is what I'm afraid of.
>Common-sense: just coz I trust A, doesn't mean I trust B who A signed
>for.
Still, it could make sense e.g. in a VPN-like environment where A is a
system administrator (the "Internal CA admin"), and B a generic member of
the same organization as A and myself, but located remotely. Such an
arrangement would allow a company with N users to buy from a CA only one
cert instead of N.
Enzo
