Cowles, Robert D. wrote:

...

the issue is about global naming. You used a globally unique email address in the certificate when you posed the question, so I said yes. If on the other hand you had just put Brett in the cert then of course I would not expect this to always name the same person.

But how can you believe that brett@isp.com is globally unique over time when companies like Verisign will resell "isp.com" almost immediately when it becomes available?

Thats a very good point. Clearly its globally unique, but the fact that a unique name might belong to two different people at different points in time is an issue that directories have struggled with as well. The concept of "zombies" was introduced by directories to deal with this, a zombie being a dead name that no longer existed, but had existed in the past and therefore could not be reissued to anyone until a certain (application configurable) time period had expired. But this would put extra load and responsibility on a CA, and as we all know, the commercial CAs write their CPSs so that they can remove as much liability as possible from themselves, even putting the liability back onto the RPs and EEs as much as they can. Ultimately it boils down to a CA's procedures and policies, and this dictates how Trustworthy they are regards David

BC

-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************