Ousourced Trust (was Re: Difference between TCPA-Hardware and a smart card and something else before

Anne & Lynn Wheeler lynn at garlic.com
Tue Dec 23 10:03:00 EST 2003 

At 07:34 PM 12/22/2003 -0700, Ed Reed wrote:
>Of course they do.  Examples:
>
>D&B and other credit reporting agencies.
>SEC for fair reporting of financial results.
>International Banking Letters of Credit when no shared root of trust
>exists.
>Errors and Ommissions Professional Liability insurance for consultants
>you don't know.
>Workman's Compensation insurance for independent contractors you don't
>know.

I don't think that trust checking was so much of the question .... a not 
uncommon scenario was

1) institution set up an account possibly that included checking with 3rd 
party trust agencies
2) did various kinds of online transactions where the actual transaction 
included account-only information
3) got an offer from a certification authority to move into the "modern world"
     a) send the CA a copy of the institutions account database
     b) the ca would convert the information in each account record into a 
certificate
     c) each certificate would be digitally signed by the CA
     d) the CA would returned each digitally signed transformed account 
record back to the
         institution and only charge a $100/certificate
4) the institution was to convert from modern online transactions to 
archaic offline transactions based on information in the certificate
5) the certificate would be a x.509 identity certificate that contain all 
of the account entity's identification information which would flow around 
attached to every transaction

fundamentally

1) x.509 certificates broadcast all over the world attacked to every 
transaction were in serious violation of all sorts of privacy issues
2) certificates were fundamentally designed to address a trust issue in 
offline environments where a modicum of static, stale data was better than 
nothing
3) offline, certificate oriented static stale processing was a major step 
backward compared to online, timely, dynamic processing.
4) the traditional outsourced trust has the relying-party contracted with 
the trust agency so that there is some form of legal obligation, the 
traditional CA model has no such legal obligation existing between the 
relying-party and the trust/certifying agency (the contract is frequently 
between the trust agency and the key owner, not the relying-party).

In the mid to late 90s ... some financial institutions attempted to salvage 
some of the paradigm (because of the severe privacy and liability issues) 
by going to relying-party-only, certificates for online transactions. 
However, it is trivial to show that the static, stale information in the 
relying-party-only certificate was a trivial subset of the information that 
would be accessed in the real account record for the online transactions 
... and therefor it was trivial to show that static, stale certificates 
were redundant and superfulous. misc. past posts regarding 
relying-party-only scenario:
http://www.garlic.com/~lynn/subpubkey.html#rpo

I think that the current federal gov.PKI tries to address the legal 
obligation issue ... by creating a legal situation where essentially all 
the authorized CA operators are effectively agents of the federal PKI ... 
and all the relying parties have contracts with the federal PKI ... which 
simulates a legal obligation between the issuer of the certificate and the 
relying-parties.

In something like the D&B scenario ... the relying party contracts for some 
information with D&B about the entity that the relying party is interested 
in. In many of the traditional 3rd party CA-PKIs, there may be absolutely 
no legal relationship between the CA issuing the certificate (trust 
information) and any of the relying parties that are relying on the trust 
information i.e. the contract is between the CA issuing the certificate ... 
and the entity that the certificate is about. Since the entity (that the 
trust information is about) may be the party paying for the trust 
information ... they may have some motivation to shop around and get the 
most favorable report. Lets say I was applying for a loan and the loan 
institution needed a credit report. Rather than the loan institution 
contracting for the credit report, they rely on one supplied by the loan 
applicate. The loan applicant is free to choose from all the credit 
reporting agencies which credit report that they will buy for supplying to 
the loan institution.

random past threads on trust propagation:
http://www.garlic.com/~lynn/aadsm14.htm#42 An attack on paypal
http://www.garlic.com/~lynn/aadsm14.htm#45 Keyservers and Spam
http://www.garlic.com/~lynn/aadsm14.htm#46 An attack on paypal
http://www.garlic.com/~lynn/aadsm15.htm#26 SSL, client certs, and MITM (was 
WYTM?)
http://www.garlic.com/~lynn/aadsm15.htm#32 VS: On-line signature standards
http://www.garlic.com/~lynn/aadsm15.htm#33 VS: On-line signature standards
http://www.garlic.com/~lynn/aadsm15.htm#36 VS: On-line signature standards
http://www.garlic.com/~lynn/aadsm2.htm#pkikrb PKI/KRB
http://www.garlic.com/~lynn/2001g.html#40 Self-Signed Certificate
http://www.garlic.com/~lynn/2003m.html#55 public key vs passwd authentication?
http://www.garlic.com/~lynn/2003n.html#30 Is this right?  Question about 
SSL and PKI
--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
  

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list