[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ga] Registration process suggestion



Roeland and Dave Crocker,

In a message dated 2/14/00 11:31:41 AM Pacific Standard Time, rmeyer@mhsc.com 
writes:

<<  From: owner-ga@dnso.org [mailto:owner-ga@dnso.org]On Behalf Of Dave
 > Crocker
 > Sent: Saturday, February 12, 2000 1:38 PM
 >
 > At 05:15 PM 2/10/2000 -0800, Roeland M.J. Meyer wrote:
 > > > From: owner-ga@dnso.org On Behalf Of Dave Crocker
 
 > > > Although the formal CERT developers understand the issue of
 > certi needing
 > > > to be defined carefully, so that different criteria are applied in
 > > > assigning different kinds of certi, there is no large scale use
 > > > of certi as a basis for distinguishing individuals.
 > >
 > >Actually, there is, if you go to the Thawte web-site. The question is if
 >
 > I did not say that no mechanisms or services existed.  I said
 > there was no
 > large-scale USE.
 
 Without marketing/demographics data, which neither of us are either privy to
 (or are free to publish) your statement is unsupported. I still maintain
 that it is false (understood - such statement is equally unsupported).
 However, you might try Forrester's.
  
  Yeah Roland you are right on here.
 
 >  In this case, large-scale refers both to numbers and
 > diversity of the user base.  Thawte is fine for geeks, but the entire
 > system (of which Thawte is a part) is not viable for typical,
 > non-technical
 > users.  It is far to complicated.

  Oh, I don't know I have seen a whole class of 10 yrs olds install
their own Certi without much problem more than once.
 
 I think that Thawte is doing an admirable job in end-user education. Moreso
 than Verisign is. It is a complex topic.

  As a topic, yeah it is a bit convoluted and takes some time to
comprehend well.  I am not sure that Dave has a good grasp
from what I see here.  
 
 > > > For that matter, there is no large scale use of certs.
 > >
 > >Go to ANY eCommerce web-site and you will find an SSL cert, at least one.
 > >You will also, on many of them, find TLS capability.
 >
 > Such certs are, at most, for the vendor.  Not the consumer.  A
 > registration/voting system as being discussed here needs persona- (not
 > email-) based certs for the users, not the providers.

 Nope.  Certs are for the consumer like a (Drivers License) for
being somewhat safe when using the net for purchasing, and 
E-mail. Good certs, and there are many types, can be as good
or even better than persona if they contain proper info in the 
cert like Address, SSN or ID number, and so on.
 
 I agree with the non-email requirement (email vs persona). It is also a
 problem with PGP. PGP only secures the individual message. With a PKI,
 it -might- also provide verification of the end-points of a communique.
 However, verifying the source is light-years removed from verifying the
 identity of the source. One can use PGP and still remain anonymous. What's
 missing here is a determination of what an identity is defined as.

  I don't agree with your first sentance based on current practice and
known level of technology (Well documented).  PGP is just what it
stands for, "Pretty good Privacy" nothing more.  It is vulnerable to
MIM attacks and some lower size key lengths are vulnerable to
Brute Force attacks also.  But for occasional E-Mail, and sometime
voting online they are fine.  Some PGP vendors have the ability for
you to generate new keys very easily.  I use one of these from
MIT for mine.  I generate a new set of keys every months and it
only takes a few clicks of a mouse (3 mins. max).  I do this to
be sure that my keys are not hacked easily.  Couple this with 
authentication, and for E-Mail and Voting you should have no
problems and have good identification as well.
 
 > > > For that matter, there is no large scale use of open, encrypton-based
 > > > authentication services.
 > >
 > >This is true, iff you emphasize the term "open".
 >
 > That is exactly the point.  ICANN participation is open.
 
 ... apples and oranges, Dave. ICANN is not a technology and authentication
 services are not a would-be governance organization.
 
 > > > And that's the problem.  All of this technology-iriented
 > discussion, for
 > > > solving the registration problem, is being conducted without
 > attending to
 > > > the raw fact that the technology has not already been deployed
 > > > and used on very wide scale.
 > >
 > >This is false (see above).
 >
 > It is not false.  (See above.)
 
 We disagree?!?!? Nahhhh....
 
 > > > PGP advocates might disagree about large scale authentication
 > activities,
 > > > but that is an example of the problem, rather than a counter
 > to it.  Both
 > > > PGP and S/Mime are still human factors problems for average users.
 > >
 > >and here is another problem that I can agree with. PGP needs a PKI and is
 > >not server-based. SSL/TLS is server-based, but you have to roll your own
 >
 > Modern PGP implementations use servers that are, effectively, the same as
 > PKI servers.
 
 I was speaking more towards TLS, in conjunction with a CSP.
 
 -- >>
David "Dude" Jenson
--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html