Re: What's the significance of accepting a cert?

Rohit Khare (
Wed, 25 Jun 1997 21:57:10 -0400 (EDT)

More for the fire: turnabout is fair play, too. --RK

Forwarded message:

To: Bob Jueneman <>
Subject: Re: legal question about certs
Date: Wed, 25 Jun 1997 21:09:17 -0400
From: Steven Bellovin <>

Unfortunately, the argument is circular. If you are concerned
about a rogue CA issuing a certificate to someone who never
heard of that CA, that CA could invent whatever public/private
key pair they wished, and embed that key in the certificate
they are issuing!

Yup -- this is an important point, and one I'd mentioned privately to
a few folks. Without a countersignature by an independent party,
you lose non-repudiation. That is, if a bank is the sole certifier
of the certificate nominally associated with my bank account, it's
much harder for them to prove to the judge that I made certain withdrawals.
After all, I could claim that that wasn't my certificate, but one they
concocted out of whole cloth.