February 22, 2006

High Assurance - summary of the Due Diligence

Someone (who has requested anonymity) has been doing the research on at least some of the goings on in the "High Assurance" programme. It seems that GeoTrust/RSA/Identrus approached the ABA with the view to endorsing the programme for purpose of notarising documents -- GeoTrust's current strategic desires in e-notarisation. To this end, they are proposing signoff by bank and a lawyer (thus we see the Identrus and ABA involvement) as well as a site visit and a supplementary WebTrust audit to bring the accountants on side.

The documents are located on the ABAnet site (over on the lower right, in the Listserv box, there is a javascript popup called Cert Issuance Standards.) The meat of the proposal seems to be enhanced Due Diligence ("DD"). Here's a summary:

(a) Notarization of the signature on the Application for the High Assurance certificate: This establishes a face-to-face contact with a real person acting on behalf of the certificate applicant for the first time in the industry. A notary will also ask for and record a piece of reliable ID (e.g., a driver's license or passport) from the person signing the Application, which will be invaluable in tracking down a fraudster.

(b) Obtaining an attorney opinion letter confirming important Application information: An attorney opinion letter from the Applicant's counsel will verify critical pieces of identity information
that a public CA presently only assumes by inference, such as current corporate existence and actual authority of the person requesting the Certificate. The attorney opinion letter will also be the chief way by which public CAs can verify the legal right of an Applicant to use a trademark or logo, thereby helping to avoid commercial disputes. Verified trademarks and logos will likely be included inside TLS/SSL digital certificates in the near future for use in new applications, creating important new branding opportunities for businesses.

(c) Confirming that the Applicant is actively engaged in business (i.e., is a "real" business) by confirming that the Applicant maintains a bank account: Consumer surveys show the public does not want to do business or share information online with imaginary business entities or shell corporations that have no real-world business existence. The High Assurance vetting process confirms that the Applicant maintains a banking relationship with a financial institution, which not only provides solid evidence of ongoing business activity but also provides an important additional confirmed point of contact in the event of a consumer complaint. Because financial institutions must follow stringent "know your customer" rules under federal regulations, they are likely to have extremely accurate information about the Applicant.

(d) Finally, verifying that a representative of the Applicant can be located at a confirmed physical location: Consumers have also indicated they want to be able to link a web site to a physical location where the site owner can actually be found, but no such testing is done by any CA for current SSL certificates. Public CAs today could even issue an organizational certificate to an Applicant listing a particular address, only to find out later (after online fraud) that the address is a vacant lot or an anonymous mailbox service and the web site owner has vanished. The High Assurance certificate is backed by a real-world site visit to the Applicant's address with recorded information to verify that a
representative of the Applicant can be found there, which establishes the final vital point of contact.

The good thing about DD processes is that if yours isn't working, there's always more you can throw into it. The bad thing is that this won't necessarily improve it.

There are several problems with the above, but probably the biggest issue is again how the big boys are doing the deals in the back rooms on their wish lists, and then expecting the net to swallow this as some sort of open consensus / rough working code. Those who are not represented in this process are the smaller CAs, the notaries, and all of the users; as suspected, my source informs me that there was no open call for wider industry participation, so some of the most obvious problems will go unaddressed until it is too late.

See also the competing proposal by the National Notary Association (in America) as written by the able Daniel Greenwood.

Posted by iang at February 22, 2006 10:29 AM | TrackBack

Funnily enough, in the "competing proposal", I complain about governments doing eSig stuff, and now I'm complaining about the private sector doing it.... I can't keep up!

Posted by: Iang at February 22, 2006 12:30 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.