I think you have put your finger right on the problem. Certificates, https, and the entire PKI structure were designed for an accountless world, but the problem is accounts.
the other view ... is using a little information theory .... is that certificates are stale, static, read-only copy of information in the certificate authority's account record .... targeted for offline environments where the relying party has no access to the real authoritative agency responsible for the information.
one of the things from the '90s, in the transition from offline to the start of a pretty much ubiquitous online world was trying to come up with things to put into certificates to justify their price. One of the attempts was extreme overloading of the certificate with large amounts of identity and privacy information, and furthermore you convince the public that they should pay for the privilege of having huge amounts of their privacy information sprayed all over the world.
The fallback is to attempt to reduce as much as possible any information of actual value in a certificate and to not go around confusing identification with authentication. This was sort of the relying-party-only certificates from the financial community in the later part of the 90s .... don't put any information of any value what-so-ever in a certificate; just create these huge, very large bit patterns that were one hundred times larger than a typical payment transaction and require that these extremely large bit patterns had to be attached to every payment transactions sent back to the financial institution (which already had the original copy of all the information). From this is was possible to demonstrate a PKI infrastructure where every certificate was compressed to zero bytes. The horrible payload penalty and information/privacy leakage problem was ultimately addressed with zero byte certificates. They contained zero byte, stale, static, read-only copy of the information in the certificate authority's account record.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
