[LINK] S/MIME, Thawte and the future of digital signatures?

[Chirgwin, Richard]

So is it the signing or just the mail client that makes the message come
three-deep in an attachment? :-)

"(I suspect that if/when S/MIME becomes more widespread, the 
different levels of certificate will need to be explained a lot better 
to people like Joe Sixpack - but I digress...)"

I don't think it's a digression, Alastair. There's no point to a technology
that doesn't suit the user; and like-it-or-not, things which seem
transparent to us do not seem that way to people outside the 'circle'.
(Interviewed on radio yesterday re the MS judgement in Europe, I must have
corrected the reporter three or four times that Microsoft is being ask to
publish interface specifications, not source code, but that dread word
"code" still crept into the report...)

We've seen over the last month or so that a server certificate is
trustworthy only to a very limited degree and in the right circumstances; I
can spoof a secure site AND present a certificate, and it's asking too much
of most users to get them to inspect the cert. The certs themselves are
pretty arcane; they're not meant to be read by the broad mass of humanity.

Even if a cert is 'notarised' it's only trustworthy if the recipient knows
how to trust it, when to check it, and what the assertions mean; and that's
ignoring the business of actually >using< certs in day-to-day
communications...

RC