What if each country's government were to act as CAs? To me this seems the
most logical solution. They already issue passports, driver's licenses,
etc., - why not digital certificates? This would also tie in well with
Massimiliano Pala's vision: "Indeed I see certificates to be like ID cards:
you can sign contracts, get married or vote using a digital ID certificate."
I feel that the government is the only entity that people would trust enough
to put the entire infrastructure into place.
-----Original Message-----
From: Erik Aronesty [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 22, 1999 3:09 PM
To: [EMAIL PROTECTED]
Subject: Re: Verisign acquisition of Thawte
OpenCA.Org doesn't really count. Neither does any one entity. We need a
group that will inspire the trust needed to compete with Verisign.
My image is of an international organization of "certificate issuing
companies" and "signing authorities".
The member authorities would receive various security requests via a
published protocol and would be required to comply with documentation,
archiving procedures, etc. In return they would receive a portion of the
fee charged for the request. Possibly we could decide that two member
authorities must approve a request before the group's signature is issued.
The authorities would be chosen automatically based on a "fair" method. The
method wil likely (but not necessarily) take into account the country in
which the requesting organization resides, the reported "capacity" and
"clearance levels" of the authority and the number of outstanding requests.
For example: Certain governments may require 256-bit military certs to be
signed only be approved bodies, etc. These bodies could sign up as members
of the group and use the group's powerful, scalable services to issue certs.
Published, balanced rules must therefore be embedded in the group protocol
which guide the assignment of the tasks required to service any requests.
I imagine a breakdown of fees could be an equal % each of those who check
the credentials of the organization and a smaller % to the the actual server
responsible for issuing the cert, and an additional % held in escrow for the
promotion and maintenance of the organization.
As far as actual liability, insurance can be readily purchased - and from my
experience in assessing credit risks, this sort of organization (with
liability spread out over many countries, and with documented standards and
open protocols) would be in a *much* better position to obtain insurance at
a far lower rate than even Verisign.
Some mandates (poorly worded, etc.)
1. OPEN: No one entity, or exlusive body of entities, may control the
rights to use the protocols, name, logo or services provided by the group.
Any company or individual must be considered equal regardless of capital
investment, or political authority. Membership in the group must be based
solely on willingness to dedicate time, ability and to uphold the charter of
the group.
2. DISTRIBUTED: All requests made to the group, electronic or otherwise
will be distributed among the willing participants of the group acording to
a fair and reasonable scheme that takes into account locality, authority and
capacity in a manner approved by the group. The group shall endeavor, where
possible, to remove any dependance upon a given line of communication,
protocol or entity. There will be no one central database where information
is kept or considered correct.
3. AUTOMATED: All decisions, where possible, must be automated. This
included electronic anonymous voting, automatic membership approval, fee
collection and distribution, etc.
4. SECURED: All transmitted and stored information regarding members,
certificates, and demographics must consistently exceed the standards of
security and privacy set by our competition.
5. BENEFITS: The ONLY benefits given to member authorities are the
fairly distributed fees received for processing request and the equal
"notoriety and publicity" received by being a member. All members can view
the fees collected by every other member.
**OK, I've run out of steam!**
- Erik Aronesty
www.primedata.org
----- Original Message -----
From: Massimiliano Pala <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 22, 1999 5:07 AM
Subject: Re: Verisign acquisition of Thawte
> > Erik Aronesty wrote:
> >
> > After the Verisign acquisition of Thawte, there remain few signing
authorities who will perform services for a
> > reasonable fee.
> >
> > Maybe the OpenSSL group should launch a new not-for-profit application
verification and certificate signing service?
> > We'd be happy to donate lines and equipment.
> >
> >
> > - Erik Aronesty
> > Prime Data Corp.
>
> The problem is the liability... anyway if you want to get a free
certificate, go to
>
> https://secure.openca.org
>
> C'you,
>
> Massimiliano Pala ([EMAIL PROTECTED])
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
