zen8486 at zen.co.uk
Thu Aug 12 13:17:49 BST 2004
Actually the provision of digital certificates to individuals is very much a
hot item at the moment. I don't want to enter in a flame war, but central
government are requiring that services be made available to the citizen
electronically. In order to do that they are mandating that certain
authentication levels are met for 'sensitive' information. This
authentication is currently relying on digital certificates and whatever the
pro's and con's of the whole scheme PGP's model of a 'web of trust' doesn't
appear to meet the criteria for the highest levels of data. Unfortunately
neither does the current verisign model, although it does come closer.
The idea of a digital signature is two fold, firstly it confirms that the
message was sent by the holder of the associated private key, which cannot
actually identify the individual in either the PGP or Verisign trust model,
but of more use it prevents the contents of the message being altered without
alerting the recipient to this fact, providing they actually verify the
message. Even this is open to problems, as some of the recent PGP issues
around address 'hi-jacking' has proven.
Do I think that we should have to digitally sign our messages for this list as
a matter of course, no, not yet. But I think there will come a time, soon,
where people will choose to use it, or even where email clients (particularly
corporate) will enforce the use of either personal certificates or corporate
ones on all email.
By the way this topic seems to have generated a great deal of debate in the
list, is this only due to the PGP/Verisign camp split?
(Yup, I checked, this is definitely me. Trust me, I'm a doctor - errr hang
on, no I'm not)
More information about the Wolves