Ousourced Trust (was Re: Difference between TCPA-Hardware and a smart card and something else before
Anne & Lynn Wheeler
lynn at garlic.com
Tue Dec 23 10:03:00 EST 2003
At 07:34 PM 12/22/2003 -0700, Ed Reed wrote:
>Of course they do. Examples:
>
>D&B and other credit reporting agencies.
>SEC for fair reporting of financial results.
>International Banking Letters of Credit when no shared root of trust
>exists.
>Errors and Ommissions Professional Liability insurance for consultants
>you don't know.
>Workman's Compensation insurance for independent contractors you don't
>know.
I don't think that trust checking was so much of the question .... a not
uncommon scenario was
1) institution set up an account possibly that included checking with 3rd
party trust agencies
2) did various kinds of online transactions where the actual transaction
included account-only information
3) got an offer from a certification authority to move into the "modern world"
a) send the CA a copy of the institutions account database
b) the ca would convert the information in each account record into a
certificate
c) each certificate would be digitally signed by the CA
d) the CA would returned each digitally signed transformed account
record back to the
institution and only charge a $100/certificate
4) the institution was to convert from modern online transactions to
archaic offline transactions based on information in the certificate
5) the certificate would be a x.509 identity certificate that contain all
of the account entity's identification information which would flow around
attached to every transaction
fundamentally
1) x.509 certificates broadcast all over the world attacked to every
transaction were in serious violation of all sorts of privacy issues
2) certificates were fundamentally designed to address a trust issue in
offline environments where a modicum of static, stale data was better than
nothing
3) offline, certificate oriented static stale processing was a major step
backward compared to online, timely, dynamic processing.
4) the traditional outsourced trust has the relying-party contracted with
the trust agency so that there is some form of legal obligation, the
traditional CA model has no such legal obligation existing between the
relying-party and the trust/certifying agency (the contract is frequently
between the trust agency and the key owner, not the relying-party).
In the mid to late 90s ... some financial institutions attempted to salvage
some of the paradigm (because of the severe privacy and liability issues)
by going to relying-party-only, certificates for online transactions.
However, it is trivial to show that the static, stale information in the
relying-party-only certificate was a trivial subset of the information that
would be accessed in the real account record for the online transactions
... and therefor it was trivial to show that static, stale certificates
were redundant and superfulous. misc. past posts regarding
relying-party-only scenario:
http://www.garlic.com/~lynn/subpubkey.html#rpo
I think that the current federal gov.PKI tries to address the legal
obligation issue ... by creating a legal situation where essentially all
the authorized CA operators are effectively agents of the federal PKI ...
and all the relying parties have contracts with the federal PKI ... which
simulates a legal obligation between the issuer of the certificate and the
relying-parties.
In something like the D&B scenario ... the relying party contracts for some
information with D&B about the entity that the relying party is interested
in. In many of the traditional 3rd party CA-PKIs, there may be absolutely
no legal relationship between the CA issuing the certificate (trust
information) and any of the relying parties that are relying on the trust
information i.e. the contract is between the CA issuing the certificate ...
and the entity that the certificate is about. Since the entity (that the
trust information is about) may be the party paying for the trust
information ... they may have some motivation to shop around and get the
most favorable report. Lets say I was applying for a loan and the loan
institution needed a credit report. Rather than the loan institution
contracting for the credit report, they rely on one supplied by the loan
applicate. The loan applicant is free to choose from all the credit
reporting agencies which credit report that they will buy for supplying to
the loan institution.
random past threads on trust propagation:
http://www.garlic.com/~lynn/aadsm14.htm#42 An attack on paypal
http://www.garlic.com/~lynn/aadsm14.htm#45 Keyservers and Spam
http://www.garlic.com/~lynn/aadsm14.htm#46 An attack on paypal
http://www.garlic.com/~lynn/aadsm15.htm#26 SSL, client certs, and MITM (was
WYTM?)
http://www.garlic.com/~lynn/aadsm15.htm#32 VS: On-line signature standards
http://www.garlic.com/~lynn/aadsm15.htm#33 VS: On-line signature standards
http://www.garlic.com/~lynn/aadsm15.htm#36 VS: On-line signature standards
http://www.garlic.com/~lynn/aadsm2.htm#pkikrb PKI/KRB
http://www.garlic.com/~lynn/2001g.html#40 Self-Signed Certificate
http://www.garlic.com/~lynn/2003m.html#55 public key vs passwd authentication?
http://www.garlic.com/~lynn/2003n.html#30 Is this right? Question about
SSL and PKI
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list