12734436, It's all about trust and non-repudiation|
Posted by nonaime, Tue Feb-24-15 04:37 AM
If you create a self-signed cert/pub key and use the corresponding private to sign documents, there's no reason to trust that a document signed that way really came from you.
If you get others to sign your key, well now *they* can trust stuff that you sign. Doesn't mean that anyone else has to.
If you get a have a centralized infrastructure with CAs and the like, then the people that trust that CA can trust the stuff it signs. But if your job gets a cert signed by, Thawte for example, and then use that cert to sign other stuff...well, I can trust Thawte signed stuff...but I don't have trust stuff signed by your job's Thawte signed cert.
It can be a flimsy trust. For one, how are these various entities vetting your identity before signing your pub key? Secondly (and this is big), how do I know that you didn't do something silly like publish your private key to the webs? You have two keys, a private and a public. You publish the public, keep the private. Losing your private key is a game over scenario, and if you don't (or can't) revoke your key...woe onto anyone who trusts any new dcommunications signed by that key. Remember Heartbleed? That was for SSL, but same concept applies regarding trust.
I would think those two reasons alone would make for legal headaches...I'm not saying that you can't legally be held responsible. If people can be convinced that a key issued to you went through a vetting process wrt personal identification and that you had sole possession of the keys...then I guess you'd be bound.