David Chadwick writes:
this shows what a crap service Thawte are offering. Basically they will link any name to any public key, so the binding is worthless. YOu might as well issue your own self signed certificate.
No I think this is both a misrepresntation and a misunderstanding of what Thawte WOT does, which should be looked into on its own account. Their process is at least as rigorous as the stronger Grid European CAs. But I'm not interested in following that up - anyone interested can research their process for themselves.
Also I dont have a problem with two CAs issuing me with certs containing the same DN, in fact I would want them to. What I have an issue with is a CA issuing my name in someone else's cert. This shows that the CA is not authenticating the right to use the name.
Sorry, but you're not the only David Chadwick on the planet. I don't happen to know any others, but I am confident we can turn one up. 411.org shows a few in CA, for example. I worked in a group in LBL that had 3 people with the same first and last name, completely unrelated; a group of about 25 people. Focusing on names is a rathole.
BTW, the use of an email address is a perfectly good globally unique DN, and its pretty easy to prove ownership of it. This is how Verisign issue their certs. They send a secret to the mail box of the user.
I can agree with that; we proposed a system like that in late 2001 for our Grid users. Rejected. We have brought it up at other times, but people have raised the issue of spam address harvesting because of the public nature of the certificates. BTW, basing a system on email addresses remains quite problematic. We get about 10 email bounces a week from the certificate lifecycle service of our CA. I have tried to push the issue of revoking these certificates, and it never flies in our PMA. And for good reason - there are many ways for email to fail. It took 6 months or more to sort out an argument between one mail service, which was ruthlessly enforcing certain DNS rules, and another, which had carelessly configured their domain and MX rules (mistakenly, but a common configuration). The scientists and the CA were stuck in between.