[cap-talk] Bundling an Organization's certs with the Petname toolbar

[Jed at Webstart]

All,

Perhaps after my previous message where I tried
to clarify the identity function that I believe the
Petname toolbar is providing it might be reasonable
to discuss the "bundling" of an identity (e.g.
Amazon.com)  to Organization (O): Amazon.com Inc.

I believe that if the Petname does the binding to
the Organization (O) in the certificate as signed
by a single certificate authority and the organization
trusts (there's that word again - used in the common
English sense) the certificate signing authority
to not mix organizations (that is not to sign a
certificate request with one Organization name
if gets the request from a different Organization),
then having the Petname toolbar bind to the
Organization/CA pair in the certificate rather than to
the key hash will be safe.

In some ways it seems that the user can be safe
in developing a relationship with the Petname'd
entity in that in some sense even if the remote
entity isn't worthy of the trust by virtue of itself
using an untrustworthy CA, then its still the
remote entity that is ultimately betraying any
trust - just as if it had subcontracted any other
service that it performed.

If there's debate about this bundling then I think we should
discuss it separately from all the discussion about
terminology and such.  I believe this is more of
a technical issue that we might be able to come to
some consensus on.  I was a bit surprised how
quickly Tyler jumped on this idea and put it into
the prototype Petname toolbar implementation.
Perhaps we should find out if there's disagreement
about that choice.

--Jed http://www.webstart.com/jed/