📅 Original date posted:2012-11-27
📝 Original message:> No, the point of using X509 certs is to get a verified identity (a
> domain name) on the receipt, this is needed for multi-factor
> authentication. You can't do that without some kind of third party
> asserting to an identity.
Agree that you need a third party to verify identity. But the verification policy of sites is the job for a payment provider not a payment technology. So if you would like verification of the site you could just sign the memo using standard S/MIME - why mix it with the payment protocol?
Further, it is controversial use of the host key to use it for digital signing of documents, and not even within the policy of a host certificate as far as I recall.
The problem you are trying to tackle is that we don't have an ID solution on the internet today for this purpose. Certificates for signing messages are distributed freely and insecurely only based on temporarily having an email from within an organization, and the host certificates are meant for SSL handshakes. Funnily, any CA can issue digital certificates for email signing for any domain, even though they don't own them, and without notifying the owner. DANE actually solves this, but until then using the host certificates is unintended use, it is cryptographically a nice solution, but legally and standard-wise a hack.
/M
Michael Gronager [ARCHIVE] /
npub1nc…gw452
2023-06-07 10:41:07
in reply to nevent1q…lc7g
Author Public Key
npub1nc78dlt7hp3v5dl32qu3m678h2j0ss374glcjnz8df75xcx7ngpq4gw452Seen on
wss://relay.noswhere.comPublished at
2023-06-07 10:41:07Event JSON
{
"id": "06892a7b6310903fe297d2dcaf0f5f4457183279d2890b1102d4c67199e5b0f8",
"pubkey": "9e3c76fd7eb862ca37f150391debc7baa4f8423eaa3f894c476a7d4360de9a02",
"created_at": 1686134467,
"kind": 1,
"tags": [
[
"e",
"f5f2400f8aa8a7067be3d080f096fd7cbfeecdd6e589c178b85b63a9338150a5",
"",
"root"
],
[
"e",
"369cb1d270429cb148b0b6cf25e4dac873e966b1f457a9e5698ce4d85713857e",
"",
"reply"
],
[
"p",
"f2c95df3766562e3b96b79a0254881c59e8639f23987846961cf55412a77f6f2"
]
],
"content": "📅 Original date posted:2012-11-27\n📝 Original message:\u003e No, the point of using X509 certs is to get a verified identity (a\n\u003e domain name) on the receipt, this is needed for multi-factor\n\u003e authentication. You can't do that without some kind of third party\n\u003e asserting to an identity.\n\n\nAgree that you need a third party to verify identity. But the verification policy of sites is the job for a payment provider not a payment technology. So if you would like verification of the site you could just sign the memo using standard S/MIME - why mix it with the payment protocol?\n\nFurther, it is controversial use of the host key to use it for digital signing of documents, and not even within the policy of a host certificate as far as I recall.\n\nThe problem you are trying to tackle is that we don't have an ID solution on the internet today for this purpose. Certificates for signing messages are distributed freely and insecurely only based on temporarily having an email from within an organization, and the host certificates are meant for SSL handshakes. Funnily, any CA can issue digital certificates for email signing for any domain, even though they don't own them, and without notifying the owner. DANE actually solves this, but until then using the host certificates is unintended use, it is cryptographically a nice solution, but legally and standard-wise a hack.\n\n/M",
"sig": "7e8f3daaf9debec0978b82b518d4885a116eb5429c095aa0f3f9f38c8961968af382ec3d5ffaa761d7af3b08a4ff30ca91b912b25214f14d2888f166dde09c81"
}