If I want to spend $1000 to VeriSign, they issue a certificate after checking me out. A certificate issued by them is presumably good, because everybody trusts them.
However, a more general form is that my key (which I made myself) is signed by people I know personally. PGPkeys app will look at who signed my key, and do a recursive search all the way back to someone you said you trust because you know them personally (they're the ones who signed your key).
PGP's plan is a more general approach. I could have my friends sign it at a key-signing party, or I could pay a famous notary to sign it, or both. X.509 certifiates only have one authority signature, so it's much simpler.
The problem is, I don't know anyone personally who uses PGP regularly, to sign my key and be worth anything. It won't add it to the peer network, because we are all islands. The network is not hooked up!
So, how else do you get to know someone? From repeated exposure. I sign newsgroup posts to prevent fakes from appearing in my name. The reader can't prove that the signature really identifies a specific person, but he knows that all the posts are from the same person. A fake will stand out.
So, all my online friends know me from 10 years of correspondence. Many don't know what I look like, but they know me, to some extent. If I needed to, I could prove that a specific statement I issue is signed by the same person they "know", even though no authority is identifying me as an individual outside of that context.
That's the concept I'm using to make "grass-roots" (e.g. no big bucks to VeriSign) code signing work. A DLL is signed by somebody. So what? Well, if the same signature is used in many places that are visible, you can come to know the signor from those places and know that the code was written by the same person.
Signing a web page with the manual and whitepapers helps link the code to its creator. Signing the page that contains pictures of my family is not "necessary" for commerce, but helps keep the chain of identity, of "same person here", going. We have that link in face-to-face society. We know we're dealing with the same individual because we see and/or hear him and compare the face or voiceprint implicitly. I'm proposing one mechanism to continue that mechanism into cyperspace.
Now back to SSL. If you send me money, you want to know more specifically that I'm a legitimate business in line with the idienting marks on the page. It might be a business you've never seen before but found on pricewatch.com. Having an authority check it out is a great solution for that.
However, for someone who's not Amazon, spending $1000 per year is just bogus, especially if you're not sending me credit card info. Instead, what I really want, is to have a notary public sign my key for a $2 stipend. That's good enough for selling titled merchanice like cars, or making small legal contracts, right? So it should be good enough for some online purposes, too.
—John
In reply to Re: Re: Digital Signatures on Web Pages
by John M. Dlugosz
in thread Digital Signatures on Web Pages
by John M. Dlugosz
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |