To the extent that trust information is centrally handled, as it is handled by browsers, it will tend to be applied in ways that benefit the state and the central authority. Observe for example that today all individual certificates must be linked to one's true name and social security number if it is to receive default acceptance, and analogously for corporate certificates.
in the case of SSL domain name certificate .... for both domain name infrastructure and CA/PKI .... it is is a case of authenticating that the the web site you think you are talking to is really the web site you are talking to. The business issue is that the domain name registration and the CA/PKI are disjoint business operations and the domain name registration didn't provide for a really good authentication mechanism. As a result when getting a certificate request, the CA/PKI has to check with the domain name infrastructure .... map their information out to an external world identification, and then map the entity making the certificate request out to the same external world identification.
Out of all this, there is somewhat a request from the CA/PKI industry that a public key be registered as part of domain name registration (no certificate, just a public key registration). Then SSL domain name certificate requests coming into a CA/PKI can be digitally signed, the CA/PKI can retrieve the authoritative authentication public key (for the domain name ownership) from the domain name infrastructure and authenticate the request .... eliminating all the identification gorp (and also done w/o the use of certificates).
misc. additional recent musings:
http://www.garlic.com/~lynn/2003l.html#60 Proposal for a new PKI model (At least I hope it's new)
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
