User: euphline

Certification Practice Statements

on Don't Trust Code Signed by 'Microsoft Corporation'

It is standard operating procedure at a CA to produce a "CPS" or Certification Practice Statement. This document discusses how the Certificate Policy is carried out. Specifically, it tells what the standard is for I&A (Identification and Authentication) of a business or individual before issuance of a given level of certificate.

Versign has such a statement, which itemizes what they (in theory) do before issuing a cert.

-jbn

Re:Quantum computing will break PK in a few decade

on Making PKI Work

Public key cryptosystems, with or without PKI, will be dead meat when Quantum and/or DNA computing become even remotely practical.

Not sure this is all that true. Have you ever calculated exactly how much computing power is required to break a 1024 bit key within a person's life??

-jbn

Re:PKI is dead

on Making PKI Work

Honestly, when is the last time you received encrypted email resulting from a succesful key exchange with a user out there in webland?

Let's see... a couple of days ago?

Worse than that, when was the last time you encountered a user out there in webland with a client certificate? How about a client certificate signed by a CA which you trust to have shown due diligence before signing (i.e. not a Thawte free email certificate)?

That would probably be within the last couple of minutes...

This stuff does exist. It is being implemented. Some places you might go for information on real implementations would include:
ACES State of Washington City of San Jose

Note that they're all government. Is it possible that government will lead the charge in this field? Is the rest of the world missing the boat?

Yours,
-jbn