preference was putting the authoritative agency brand/logo on the web site. the authoritative agency ... like the better business bureau or the state licensing bureau, etc ... somebody that is the real trust authority.

the certification authority paradigm was that they would certify some information gleaned from the actual authoritative agency. fundamentally, they are a momentary aberation in time having to do with

1) authoritative agencies tend to be late adopters ... so certification authorities were somewhat standing in for the real authoritative agencies ... until the authoritative agencies caught up with the technology

2) fundamentally the product of the certification authorities are these constructs (certificates) that had a design point of an offline environment ... where the relying party had no online/near-time recourse to the real authoritative agency

for instance ... an insurance company site might have a brand/logo clickthru to the appropriate government licensing agency ... where there was full-disclosier information about the particular insurance companies operational characteristics (including complaints).

the momentary certification authority aberration tends to certify that they executed some business process that involves validating the certified information with the appropriate authoritative agency responsible for the information being certified.

in many real business process scenarios ... the relying party will directly validate the information with the authoritative agency for the information of interest.

the other part was the trust model of the agency behind a web site. when we were starting this electronic commerce stuff
http://www.garlic.com/~lynn/aadsm5.htm#asrn2
http://www.garlic.com/~lynn/aadsm5.htm#asrn3

there was the thing could you really trust that you were talking to the website that you thot you were talking to. that simply is handled with secure domain name infrastructure where you get back the host's public key along with the ip-address when you do the hostname to ip-address resolution.

the other part was could/should you actually trust those operating the web-site ... that was where the better business bureau or gov. licensing agency came in.

the problem was that the online retail business turned out to be highly skewed; potentially 60-100 sites doing 90 percent or more of all transactions. that resulted in mostly repeat transactions, site recognition, repeat business, etc ... the consumer already had high trust level in the URL as a brand. a certificate indicating that the consumer should trust the specific merchant provided almost no added value.

the place where there was the least consumer trust was with the millions of e-commerce sites that had no brand recognition, tended to be all first time transactions and possibly did only a couple a month. However, it was difficult to justify (for this class of e-commerce sites) spending any significant amount of money on a certificate ... that would represent insurance/guarantee of the business practices.