we beleive one of the reaons that our earlier proposal for enhancemed merchant certification didn't catch on was that electronic commerce on the web has been extremely bi-model; something like 70 percent of the transactions are done by some 50-60 sites and something like 90 percent of the transactions are done by 200 sites.
reputational buying decisions are very concentrated for those 90 percent of the transactions ... i.e. you have done it before, your friends have done it, it is on the T.V. etc. the straight forward enhanced certification process provided little or no additional useful information for the buying decision involving something like 90 percent of the web transactions. The URL itself was sufficient recognition and either the current SSL (or the baby step) precluded fraudulent transactions from ip-address take-over attempts (but none provided any additional benefit for the myrid of denial of service exploits). Because of the concentration of transactions the trust has been widely established for URL for the majority of the transactions. the financial and economic impact for the 90 percent of transactions on the internet is in the area of denial of service exploits (attacks on the web services and/or attacks on the domain name infrastructure). this is because the transactions are so concentrated and reputational information is available because the person has made prior purchase, they know somebody that has made purchases and/or because of TV and other kinds of advertisement. the place for enhanced certification process was for the remaining ten percent of the transactions spread across the millions of remaining web sites. The problem seemed to be the economic cost/benefit for enhanced certificate process for the millions of web sites based on it only was a factor in ten percent or less of all web transactions. there was some proposal of possibly having an online BBB or some sort of state/fed licensing board site that would give real time statistics about complaints, resolutions, etc. This would have meaning for all web sites ... but specifically for the web sites accounting for 90 percent of the transaction provide some additional useful information to the consumer other than straight reputational. The baby step proposal doesn't preclude en enhanced merchant certification for enveloping the public key. If the domain name system is attacked then the environment quickly degenerates to denial of service (whether the certificate is coming from the domain name infrastructure or from the merchant). [EMAIL PROTECTED] on 12/21/2002 9:10 am wrote: I think that you are focused on the wrong problem. Let's not obsess about how we got here, let's look at what we have and what we want. Do we want the NDS to overtake and subsume the existing trademark system? I don't think so. How about we just focus on the consumer. Let's get him the information that he needs to make an informed buying decision. He makes that today on brand names and logo's. I. E. on trust. Give the consumer what they want. I am quite sure that he does not even understand the DNS system, nor have any desire for that to become the sole branding mechanism for the Internet. ..tom