A number of CAs have started offering high-assurance certificates in an attempt to... well, probably to make more money from them, given that the bottom has pretty much fallen out of the market when you can get a standard certificate for as little as $9.95. The problem with these certificates is that, apart from the fact that the distinction is meaningless to users (see work by HCI people in this area), they also don't fit the standard CA business processes. CAs employ people whose job role, and job expertise, lie in shifting as much product as possible as quickly as possible (as has already been demonstrated in the race to the bottom for supplying standard certificates), not in enforcing PKI theology on their clients.
There are only a very small number of people who understand the theology behind certificates sufficiently to be able to explain the motivation behind the various steps in the process of issuing them, and none of them are going to be employed in doing certificate checking for CAs. Instead, the task will be managed by, and performed by, the same people who spam everything in the US that has a pulse with pre-approved credit card applications, loans, and similar items. Here's a real-world example of this process in action. A user approached a large public CA for a high-assurance certificate and specifically requested that his identity be checked thoroughly via his hard-to-forge paper documents. The CA did the usual standard-assurance checking (whois lookup, email to the whois contact address, caller ID check on the calling number, all easily spoofed), and then announced that the user had been pre-approved for the high- assurance certificate, *before* the user had supplied his authenticating documents. Made perfect sense, they'd done the equivalent of running a credit check before pre-approving a credit card or loan or whatever. Their proactive service and rapid attendance to the customer's needs put them ahead of the competition... ... except that this isn't something like a standard credit-check business. The user tried explaining this to the CA employees doing the checking, but they just didn't understand what the problem was. They'd done everything right and provided outstanding service to the user hadn't they? And therein lies the problem. The companies providing the certificates are in the business of customer service, not of running FBI-style special background investigations that provide a high degree of assurance but cost $50K each and take six months to complete. The same race to the bottom that's given us unencrypted banking site logons and $9.95 certificates is also going to hit "high-assurance" certificates, with companies improving customer service and cutting customer costs by eliminating the (to them and to the customer) pointless steps that only result in extra overhead and costs. How long before users can get $9.95 pre-approved high-assurance certificates, and the race starts all over again? Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
