'Weak' certificates

Norman Gray norman at astro.gla.ac.uk
Mon Jul 10 08:44:58 PDT 2006 

Folks (Ray in particular),

Back in March last year, Ray posted a discussion of some  
authentication requirements <http://www.ivoa.net/forum/grid/ 
0503/0281.htm> (this is the same message I referred to in my other  
message today, but I'm following up on a different aspect of it here).

In that paper, Ray mentioned `weak certificates' as a way of allowing  
users to create relatively informal identities quickly: `It must be  
as easy for a user to create an identity (i.e. login) for oneself as  
it is for any typical commercial or community web site featuring a  
personal workspace (e.g. Travelocity, community blogs).'

Have you, Ray, been developing this idea since?  I couldn't see any  
mention in the list archives apart from that thread.

The idea might effectively exist already, inasmuch as not all  
certificates are equal, and some make stronger warrants than other  
ones, without any technical distinction such as some being flagged as  
explicitly `weak'.

For example, Thawte <www.thawte.com> provide a range of certificates,  
from web server certificates down to `Personal e-mail certificates'.   
The former are high assurance, and appear to require the corporate  
equivalent of the passports and appointments that you describe; the  
latter are low assurance, and all the verification that's required is  
for Thawte to email you a random phrase, which you then enter into a  
web-page.  These certificates contain an email address, and a CN of  
"Thawte Freemail Member"; all they actually assert, therefore, is  
that an email address exists, with what appears to be a human behind  
it.  There are about half-a-dozen other certificates which Thawte  
describe, which vary in what's asserted, and with some of them having  
magic strings, such as "Domain Validated", in ON fields.  Thus you  
can presumably tell the difference between them relatively easily,  
but none are marked as `weak' or `strong', and the only way you can  
tell what you may or may not rely on is by downloading Thawte's  
Certification Practice Statement <http://www.thawte.com/cps/> and  
reading through it.

A propos another remark in your 2005-03 paper, there is a mechanism  
for upgrading the anonymous email certificate into one with your real  
name attached, but it appears to involve the issue of a _new_  
certificate, rather than the conversion of an existing one.  I don't  
see that that's a problem, however -- you're presumably allowing  
access based on identity, rather than certificate hashes.

All the best,

Norman


-- 
------------------------------------------------------------------------ 
----
Norman Gray  /  http://nxg.me.uk
eurovotech.org  /  University of Leicester, UK

More information about the grid mailing list