[ntp:questions] Re: 4.2.1-RC

David Woolley david at djwhome.demon.co.uk
Sat Mar 25 11:09:32 UTC 2006


In article <e034cv$5b$1 at hedeland.org>, per at hedeland.org (Per Hedeland) wrote:

> But there is obviously no way to establish that the claimed
> counter-signatory isn't totally faked by just looking at the certificate

Just for clarification, I was assuming in that paragraph that the 
certificate chain was good, i.e. the browser had a copy of one of
the certificates in the chain and it was marked good for the purpose
for which it was used.

The issue I was thinking of is that, for example, Verisign issue certificates
under several different counter signatures.  Some of those represent a
very thorough check of identity documents, and some of them don't.  Most
people do not disable weaker ones in their browser.

It may be the case that a user is happy with accepting one of the
certifying authority's weaker checks for some purposes, but will only
accept a strong check for others.  As a result, there may, sometimes, be
a need to find out exactly which, verified, counter signature was used.

I think Per and I actually agree.




More information about the questions mailing list