[EMAIL PROTECTED] on 6/23/2003 1:15 pm wrote: Lynn, Relying-party certificates applied to the described scenario would add a $5-$20 RA cost per user and add extreme user-inconvenience in the [very likely] case a user would need to go to multiple e-government portals. That is, relying-party-only PK schemes, be it account or certificate-based, are not candidates for e-governments communicating with citizens.
In your earlier posting you claimed that account-based schemes could do the same thing as certificate-based dittos; Could you please provide some more data to support this view by applying your thinking to the described TTP-based scenario? Anders ok, the previous reference was to three business entities: 1) public key owner ... that sends a self-signed message off to a registration authority 2) a certification authority (CA) that includes a registration authority (RA) that certifies something about the public-key owner's public key (the public-key is basically some form of authentication material that is certified by the CA as being associated with the public key owner). This information is recorded by a CA in some account record 3) the relying party which relies on the CA for validating some assertion by the public key owner. My assertion is that the above description applies to all of the business models .... whether it is certificate-based or certificateless-based or online or offline. An example of an online version of the above (modulo the issue of whether public key is the authentication material) is the world-wide debit and credit networks. Another example is the Kerberos which is the basic authentication infrastructure for a multitiude of platforms. Another example is RADIUS which is the majority of the ISPs in the world today. Modulo the issue of public key issue, the X9.59 standard provides the definition for switching to public key based authentication infrastructure for all electronic retail payments (debit, credit, stored-value, ach, internet, non-internet, point-of-sale, etc) Modulo the issue of public key issue, the PK-INIT draft for Kerberos defines initial public key authorization for Kerberos. Modulo the issue of public key issue, there have been several RADIUS implementations that add account-based digital signature authentication to the suite of authentication protocols supported by RADIUS infrastructure. So the assertion is that the majority of authentication events (even internet) that occur in the world today are fundamentally account-based (modulo some SSL that are primarily certificate manufactoring based, not PKI). Now back to the original description, even for PKI infrastructures that choose to issue stale, static certificates for situations where the relying-party can't directly contact the certification authority ... as happens in credit transactions, debit transactions, kerberos login and authorization transactions as well as ISP login RADIUS transactions. Fundamentally, a certificate represents some stale, static subset of information that is recorded at the certification authority account record. The purpose of issueing the certificate is to support relying parties that would have no direct or online access to certification authority (as per credit network, debit network, kerberos implementations, radius implementations, etc). So the fundamental assertion is the reason for the existance of static, stale certificate is to cover situation where the relying party hasn't online and/or realtime connectivity. A possible issue is that lots of PKI documentation grossly confuse the issue of certifications with certificates. For at least 30 years with online systems, there have been certifications w/o certificates because of the availability of online, realtime connectivity between the relying party and the certification body. Certificates are purely a representation of the certification for use in offline environment. So a dozen e-government websites could be totally implemented using an account-based, online infrastructure supporting digital signature RADIUS. A RADIUS-based implementation then opens up for selective support of authentication, authorization, permissions, and accounting on a website by website basis. -- Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm