Peter Gutmann wrote: > And therein lies the problem. The companies providing the certificates are in > the business of customer service, not of running FBI-style special background > investigations that provide a high degree of assurance but cost $50K each and > take six months to complete. The same race to the bottom that's given us > unencrypted banking site logons and $9.95 certificates is also going to hit > "high-assurance" certificates, with companies improving customer service and > cutting customer costs by eliminating the (to them and to the customer) > pointless steps that only result in extra overhead and costs. How long before > users can get $9.95 pre-approved high-assurance certificates, and the race > starts all over again?
when we were doing this stuff for the original payment gateway ... http://www.garlic.com/~lynn/aadsm5.htm#asrn2 http://www.galric.com/~lynn/aadsm5.htm#asrn3 we had to also go around and audit some number of these relatively (at the time) brand new organizations called certification authorities ... issuing these things called digital certificates. we listed a large number of things that a high assurance business service needed to achieve (aka explaining that the ceritification authority business was mostly a business service operation). at the time, several commented that they were started to realize that ... it wasn't a technically oriented local garage type operation ... but almost totally administrative, bookkeeping, filing, service calls ... etc (and from an operational standpoint nearly zero technical content). most of them even rasied the subject about being able to outsource their actual operations. the other point ... was that the actual design point for digital certificates ... were the providing of certified information for offline relying parties ... i.e. relying parties that had no means of directly accessing their own copy of the certified information ... and/or it was an offline environment and could not perform timely access to the authoritative agency responsible for the certified information. as the online infrastructure became more and more pervasive ... the stale, static, digital certificates were becoming more & more redundant, superfulous and useless. in that transiition, there was some refocus by certification authority from the offline market segment of relying parties (which was rapidly disappearing as the online internet became more and more pervasive)) to the no-value relying party market segment ... aka those operations where the operation could justify the cost of having their own copy of the certified information AND couldn't cost justify performing timely, online operations (directly contacting authoritative agency responsible for certified information). even this no-value market segment began to rapidly shrink as the IT cost rapidly declined of maintaining their own information and the telecom cost of doing online transactions also rapidly declined. while the attribute of "high-assurance" can be viewed as a good thing ... the issue of applying it to a paradigm that was designed for supplying a solution for an offline environment becames questionable in a world that is rapidly becoming online, all-the-time. it makes even less sense for those that have migrated to the no-value market segment ... where the parties involved that can't cost justify online solutions ... aren't likely to find that they can justify costs associated with supporting a high-assurance business operation. part of the issue here is the possible confusion of the business process of certifying information and the digital certificate business operation targeted at representing that certified information for relying parties operating in an offline environment .... and unable to perform timely operations to directly access the information. this can possibly be seen in some of the mid-90s operations that attempted to draw a correlation between x.509 identification digital certificates and drivers licenses ... where both were targeted as needing sufficient information for relying parties to perform operations ... solely relying on information totally obtained from the document (physical driver's license or x.509 identification digital certificate). there was some migration away from using the driver's license as a correlary for x.509 identification digital certificates ... as you found the majority of the important driver's license relying operations migrating to real-time, online transactions. a public official might use the number on the driver's license purely as part of a real-time online transaction ... retrieving all the actual information ... and not needing to actually rely on the information contained in the driver's license at all. it was only for the relatively no-value operations that the information in the physical drivers license continued to have meaning. any events involving real value were all quickly migrating to online, real-time transactions. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]