Comments: Major Browsers and CAs announce Balkanisation of Internet Security

this is the scenario where authentication has been allowed to get really sloppy and the solution is strong identification ... the individual scenario is having your complete lineage stapled to your forehead.

in general, identification scenarios involve being able to blame the correct entity after something bad happens (which may act as a deterrent) ... where-as, authentication scenarios typically are aimed at prevention.

the problem is that authentication requires that the entity being authenticated has some context for the entity doing the authentication; if that context doesn't exist ... then you fall back to some sort of detailed identification and hope that there is some information that provides basis for meaningful context.

during the x9.59 standards activity in the 90s, there was some investigation into carrying trademarks in certificates ... the certification authorities would only included trademarks for the entity that has registered the trademark with the appropriate gov. agency. hopefully the trademarks provide some meaningful context for the end-user ... and there are existing legal recourse for mis-use of trademarks.

an issue here then becomes similar to my oft repeated scenario for SSL domain name certificates ... the certification authorities still have this time-consuming, error-prone and expensive identification process of making sure that the entity applying for the certificate is the same as the entity registered with the appropriate authoritative agency (responsible for whatever the certificaition authorities are certifying for the certificate).

then somebody has the brilliant idea that when there is some registration with some authoritative agency ... that the registration entity also register their public key. then the certification authorities require that certificate applications be digitally signed. then the certification authorities can do a real-time retrieval of the registered public key from the authoritative agency and change an expensive, error-prone and time-consuming identification operation (i.e. the entity applying for the certificate is the same as the entity registered for the information being certificate) into a more reliable, less expensive, and simple authentication process.

the issue then is that if certification authorities can do real-time retrieval of public keys from authoritative agencies responsible for the information being certified ... why can't the general public also do real-time retrieval of the same public keys ... and be able to perform their own authentication ... rather than requiring certification authorities to do such authentication on their behalf and creating these things called digital certificates that are a representation of claims about (certification authorities) having performed some set of (authentication and/or identification) business processes.

an issue has been that public keys haven't been in general use ... so that authoritative agencies that are actually responsible for the information have no reason to require the registration of public keys from entities (as part of their general process). however, if public keys were to become generally used ... as in everybody applying for a digital certificate (from a certification authority), then there is an increasing expectation that entities will have public keys (for instance, one is required for a digital certificate). given sufficient expectation of public keys ... then the real authoritative agencies responsible for registered information can ressonably start to expect that they could also register public keys along with the rest of the information. then everybody being able to directly access these authoritative agencies actually responsible for registered inforatmion ... could perform their own real-time retrieval of public keys and their own authentication process (w/o requiring certification authorities as intermediaries).

A recent posting on the privacy side of this process (which is supposedly side-stepped when you are talking about identification of corporations and institutions ... as opposed to the individual)
http://www.garlic.com/~lynn/2006c.html#31 Worried about your online privacy

Posted by Lynn Wheeler at February 22, 2006 12:41 PM
Post a comment









Remember personal info?






Hit Preview to see your comment. 
MT::App::Comments=HASH(0x5606874c10b8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.