TriNetre - Archive for August 27, 2004
(no longer updated)
Judge A. Howard Matz of the Central District Court of California threw out the antitrust case filed by VeriSign against ICANN for its ban on VeriSign's Site Finder "service".
"VeriSign's contentions are deficient," Matz stated in a 16-page opinion. "There is nothing inherently conspiratorial about a 'bottom-up' policy development process that considers or even solicits input from advisory groups."
"VeriSign has not alleged, and cannot allege, that the co-conspirators compromised a majority of the ICANN board of directors," the court stated. "It cannot allege that the 'supporting organizations' within ICANN's structure that do include competitors of VeriSign dominated the board."
Nice to know that court rulings still makes sense once in a while.
This is the first time I heard of something like this, SANE 2004 will be organising a PGP keysigning event that relies heavily on a Trusted Third Party (TTP), in their case Teun Nijssen of Tilburg University.
This is how it is planned to happen - everyone submits their PGP/GPG key fingerprint and copy of indentity document to Teun. When you submit your keyprint, you have the option to get it signed "by as many conference attendees as possible". What this means is that if all your papers are in order, Teun will first sign the key (optionally with the NLLUG key too) and upload the keys into a downloadable keyring on the web. "If people feel confident that the identification process described above is as careful or better as the traditional keysigning party, they are in this way able to put their signatures on the keys already signed by the Trusted Third Party."
This is a nice idea to ease the hassle of organising a keysigning event in a big event like SANE, but does it stay true to the spirit in which keysigning was supposed to take place? In a 'traditional' keysigning event, everyone who signs someone else's key should have had a look at the key owner's identity papers and be satisfied with them. By using a TTP in the process you are saying that you firmly trust the process that the TPP follows and is willing to bet your signature on something you have not seen. If you trust a TTP, why can't the logic be extended to say that all keys signed by Phil Zimmermann should be trusted, so why not sign them as well. It becomes harder to draw the line.
I am sure a lot of users will go along with the use of a TTP, but is it a prudent practise? I for one don't think so. As it is, the "chaotic" structure of PGP trust model is open to attacks. Using a TTP will just make it worse. I salivate at the opportunity to get 10s of signatures on my key at a single event, but I will not be willing to sign someone's keys without seeing his/her papers myself.
Here is wishing all Malayalees a very happy and colorful Onam.
"Maveli nadu vanidum kalam,
Manusharellarum onnupole,
Amodathode vassikum kalam,
Apathangarkkumottila thanum.
Translation:
When Mahabali ruled the land
Everyone was equal
Happily they lived
Danger befell none
