[ntp:questions] Re: 4.2.1-RC
david at djwhome.demon.co.uk
Sat Mar 25 11:09:32 UTC 2006
In article <e034cv$5b$1 at hedeland.org>, per at hedeland.org (Per Hedeland) wrote:
> But there is obviously no way to establish that the claimed
> counter-signatory isn't totally faked by just looking at the certificate
Just for clarification, I was assuming in that paragraph that the
certificate chain was good, i.e. the browser had a copy of one of
the certificates in the chain and it was marked good for the purpose
for which it was used.
The issue I was thinking of is that, for example, Verisign issue certificates
under several different counter signatures. Some of those represent a
very thorough check of identity documents, and some of them don't. Most
people do not disable weaker ones in their browser.
It may be the case that a user is happy with accepting one of the
certifying authority's weaker checks for some purposes, but will only
accept a strong check for others. As a result, there may, sometimes, be
a need to find out exactly which, verified, counter signature was used.
I think Per and I actually agree.
More information about the questions