[cryptography] Tell Grandma to remember the Key ID and forget the phone number. [was: Re: Let's go back to the beginning on this]

ianG iang at iang.org
Mon Sep 26 16:08:45 EDT 2011


On 26/09/11 20:28 PM, StealthMonger wrote:
> Drill Grandma on one thing:
>
>       ...REMEMBER THE KEY ID.

Actually, this is not only a reasonably interesting idea, it's part of 
the PKI model.  If Grandma gets defrauded by a false cert, and wants 
some remedy, she has to identify who it was.  Typically this would mean 
keeping the cert (or KeyID) and presenting it to the CA.

Without being able to present these details, the CA won't even know if 
it is their cert that is at fault.  It could be a cert from their worst 
enemy CA in another country.  Or it could be a made up cert with no 
crypto data in it and the browser is buggy... Or maybe grandmama is lying...

if you have a good CA, it's written in the CPS somewhere ... for what it 
is worth:

    " *Keeping Records.* Records should be kept, appropriate to the 
import of the decision. The certificate should be preserved. This should 
include sufficient evidence to establish who the parties are 
(especially, the certificate relied upon), to establish the transaction 
in question, and to establish the wider agreement that defines the act. "



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110927/7f35f512/attachment.html>


More information about the cryptography mailing list