as in previous posts ... there would seem to be two ways that legal obligations are created,
1) contracts 2) gov. regulations for the most part, value exchange can occur to help fund a business operation (aka can a TTP CA operate on no funds and no revnue?, salaries, electricity, communication, etc): 1) by value exchange (ala some reason for an entity to purchase a certificate, either because they see some benefit or because it is mandated by the government) 2) government subsidies 3) industry subsidies we had a little bit of experience relaed to TTP CAs in support of SSL trusting webservers and the whole thing is the client really talking to the merchant that they think they are talking to. Originally it was thot to be in use generally for e-commerce .... but possibly somewhat because of the expense of the operation it was reduced more & more to just secrecy hiding of credit card numbers. slight reference http://www.garlic.com/~lynn/aadsm5.htm#asrn2 http://www.garlic.com/~lynn/aadsm5.htm#asrn3 it has now been nine years since we started the work on the above ... as well as some detailed investigation (dilligence) of the prominent TTP CAs at the time (operationally and business). The stale, static certificates were being doing done to certify the domain name of the webserver that the client was talking to. There was no real PKI .... which is the reason we coined the term "certificate manufactoring" (as an aid in distinquishing it from real PKI). or is the idea that every ten years .... we hold a party to decide that PKIs haven't found a purpose in life yet ... and we decide to again take a new look 3-5 years from now to again see what really happened. so, we actually have a past comparison of drivers license. For a long time the drivers license was used in an offline world. You get stopped, the officer looks at the drivers license, and then either writes a ticket or doesn't write a ticket. Traditional TTP CA stale, static certificate offline paradigm. Currently, if would appear that there has been a major transition to the online world for anything of value. The number off the driver's license is used to perform an online transaction which can bring up real-time and aggregated information, including image and physical description. The assertion was never that stale, static certificates were totally useless. The assertion was that statle, static certificates were better than nothing in an offline evironment. In the transition to a ubiquitous, online connectivity, the issue becomes a value trade-off of having direct, realtime, online access to the real information .... or relying on a a stale, static copy of the real information that was manufactored at some point in the past. The issues aren't payment; the issues are offline vis-a-vis online and the importance or value of having or not having the informatioin. The assertion is in an offline world, that a stale, static certificate is possibly viewed as better than having no information. The assertion that something of value is involved, or it wouldn't even be a consideration that "something better than nothing" is required. If nothing of value was involved, then it would be possible to get by w/o having either online access or a stale, static certificate copy of the online information. The assertion is that it becames a value trade-off, the better quality information of online, real-time, and/or aggregated information against the poorer quality of stale, static information manufactored at some time in the past vis-a-vis the incremental cost of online. The assertion is that the payment industry made the trade-off decision in the early '70s that the higher quality online, real-time, aggregated information more than justified the online access. The assertion is that the ubiquitous and pervasive deployment of online world is drastically narrowing the market segment for stale, static offline world. It IS NOT a question of payment vis-a-vis other infrastructures. it is purely a question does the value of the operation justify the incremental cost of online. As the pervasiveness of online spreads and the costs continue to decline, the market niche for offline gets smaller and smaller. It IS NOT a question of payment vis-a-vis other infrastructures. Right now today, transit is almost totally offline, the assertion is that because the value of the individual transactions, the timing constraints at transit turnstyles, and the relative cost of online create a market segment for low-valued payment to still be an offline operation. There is assertion that declining costs of online will erode this market segment as an offline infrastructure. It isn't payment vis-a-vis other stuff; it is purely value of the operation, increased beneift of online, realtime, aggregated vis-a-vis offline, stale, static, and costs of online vis-a-vis offline. past threads on drivers license and/or aggregated information http://www.garlic.com/~lynn/aadsm11.htm#39 ALARMED ... Only Mostly Dead ... RIP PKI .. addenda http://www.garlic.com/~lynn/aadsm11.htm#40 ALARMED ... Only Mostly Dead ... RIP PKI ... part II http://www.garlic.com/~lynn/aadsm12.htm#26 I-D ACTION:draft-ietf-pkix-usergroup-01.txt http://www.garlic.com/~lynn/aadsm12.htm#27 Employee Certificates - Security Issues http://www.garlic.com/~lynn/aadsm12.htm#32 Employee Certificates - Security Issues http://www.garlic.com/~lynn/aadsm12.htm#52 First Data Unit Says It's Untangling Authentication http://www.garlic.com/~lynn/aadsm13.htm#2 OCSP value proposition http://www.garlic.com/~lynn/aadsm13.htm#3 OCSP and LDAP http://www.garlic.com/~lynn/aadsm13.htm#4 OCSP and LDAP http://www.garlic.com/~lynn/aadsm13.htm#5 OCSP and LDAP http://www.garlic.com/~lynn/aadsm13.htm#20 surrogate/agent addenda (long) http://www.garlic.com/~lynn/aadsm14.htm#17 Payments as an answer to spam (addenda) http://www.garlic.com/~lynn/aadsm14.htm#20 Payments as an answer to spam (addenda) http://www.garlic.com/~lynn/aepay10.htm#73 Invisible Ink, E-signatures slow to broadly catch on http://www.garlic.com/~lynn/aepay10.htm#74 Invisible Ink, E-signatures slow to broadly catch on (addenda) http://www.garlic.com/~lynn/aepay10.htm#75 Invisible Ink, E-signatures slow to broadly catch on (addenda) http://www.garlic.com/~lynn/aepay11.htm#68 Confusing Authentication and Identiification? http://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing Authentication and Identiification? (addenda) http://www.garlic.com/~lynn/96.html#17 middle layer http://www.garlic.com/~lynn/98.html#41 AADS, X9.59, & privacy http://www.garlic.com/~lynn/99.html#238 Attacks on a PKI http://www.garlic.com/~lynn/2000.html#86 Ux's good points. http://www.garlic.com/~lynn/2000e.html#39 I'll Be! Al Gore DID Invent the Internet After All ! NOT http://www.garlic.com/~lynn/2001.html#67 future trends in asymmetric cryptography http://www.garlic.com/~lynn/2001e.html#76 Stoopidest Hardware Repair Call? http://www.garlic.com/~lynn/2001f.html#77 FREE X.509 Certificates http://www.garlic.com/~lynn/2001m.html#4 Smart Card vs. Magnetic Strip Market http://www.garlic.com/~lynn/2001n.html#56 Certificate Authentication Issues in IE and Verisign http://www.garlic.com/~lynn/2002h.html#27 Why are Mainframe Computers really still in use at all? http://www.garlic.com/~lynn/2002m.html#20 A new e-commerce security proposal -- Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm [EMAIL PROTECTED] on 6/29/2003 1:45 am wrote: Lynn! Before wasting too much list bandwidth, lets conclude that the TTP CA business and legal models are still to be determined by establishing practices. Not a single case have to my knowledge reached a court yet so [all] this is just "theory", "habits", and "speculation", albeit rather interesting such :-) The following lines show that TTP CAs may have a long way to go: "In a simple TTP CA stale, static certificate model, without a business relationship between the merchant and the consumer's TTP CA , no business relationship has been created between the consumer's TTP CA and the merchant. Therefor there is no grounds to sue." An odd thing is that a major reason Identrus use a four-corner model is to have the relying party sign a contract freeing Identrus from liability! I.e. this is like accepting a typical US SW contract which says "AS IS", "NOT FIT FOR MISSION-CRITICAL USE", etc. Without having RP-contracts TPP CAs are (they claim so at least), potentially liable for whatever bad things the consumer does. I'm not the one to tell if this is wrong or not. Frankly, I don't _anybody_ with certainty can claim that something is right or wrong based on no practical experience at all, as this kind of TTP activity (unlike payments), is totally different from anything else we know. Drivers' licenses or passports are not comparable in any way as there is no physical appearance supporting the identification process. Lets take a new look in 3-5 years from now and see "what really happened". It will be a truly Darwinian process.... Anders
