Ed, The PKI industry frequently uses the word "trust" to describe their services and products.
>From an academic point of view this may be wrong but actually even authentication and authorization are confused. I can live with that as well, as a signed purchase order is by common practice considered as being "authorized" if it is found to be "authentic". Anyway, the question was really about the business model behind PKI which basically falls into four categories: - Private/local PKI. A cost model only. - Unilateral TTP. Subscriber-financed. - Trust-network. All members pay - RP-only TTP. The relying parties only pay for verifications Anders ----- Original Message ----- From: "Ed Gerck" <[EMAIL PROTECTED]> To: "Anders Rundgren" <[EMAIL PROTECTED]> Cc: "internet-payments" <[EMAIL PROTECTED]> Sent: Tuesday, November 12, 2002 20:03 Subject: Re: Identification = Payment Transaction? Anders: PKI has nothing to with trust, and does not even define trust, so your title does not compute. Perhaps you mean "PKI authorization networks"? Quite often, when people talk about trust they really mean authorization -- but use trust because trust sounds better ;-) Cheers, Ed Gerck Anders Rundgren wrote: > Survey regarding the future of PKI trust networks > ------------------------------------------------------ > > Traditionally certificates have been purchased (or just issued) for > an entity by a party that is concerned that the entity can be properly > identified in authentication- and signature-operations. > > For a relying party (RP) to check certificate-status has mostly been a > public and free service. > > The financial industry however, have in several recent PKI-ventures > shown that they intend to change this by treating lookup-services as > equivalent to payment transactions, where the RP's bank is used as a > "trust clearing center" communicating with the subscriber's bank that > must be a member of the same "trust network". To make it technically > impossible for RPs to fully verify signatures without going through > the trust network (and paying for the services), root-certificates are > usually not "published". > > I would be very happy to hear what the PKI community in general > think about this scheme as the future for PKI. Off-list responses > will be treated as CONFIDENTIAL information. > > Anders Rundgren
