Some thoughts on high-assurance certificates

Anne & Lynn Wheeler lynn at garlic.com
Tue Nov 1 17:07:54 EST 2005 

Ed Reed wrote:
> Getting PKI baked into the every day representations people routinely
> manage seems desirable and necessary to me.  The pricing model that has
> precluded that in the past (you need a separate PKi certificate for each
> INSURANCE policy?) is finally melting away.  We may be ready to watch
> the maturation of the industry.

as part of some work on cal. & fed. e-signature legislation ... one of
the industry groups involved was the insurance industry. rather than PKI
certificates, there was some look at real-time, online transactions ...
where the liability was calculated on the basis of each individual
transactions.

The PKI certification model ... somewhat is paradigm for the letters of
credit offline scenario from the sailing ship days. in the modern world
... that somewhat states that the certificate is issued for a period of
time ... possibly one year ... and theoritically covers all operations
that might occur during the period of that year ... ragardless of the
number of operations that might be involved during that period ... where
each operation carried liability. in the online scenario ... rather than
having a stale, static certificate that carried with it implied
liability for the period of time, independent of the number of
operations ... each individual operation was a separatee liability
operation.

one could imagine insurance on a large tanker for a period of a year
with regard to sinking. that translation to an electronic world ...
would be that the tanker would have an arbitrary number of sailings ...
and could sink on each sailing ... and having sunk on a previous sailing
... wouldn't prevent it from its next assignment and sinking again.

the "insurance" in the credit card industry is that there is an online
operation for each transaction ... and each transaction involves the
merchant being charged a value proportional the transaction value. the
liability is taken on each online transaction ... rather than for a
period of time ... regardless of the number or magnitude of the
transactions.

this is somewhat with respect to my previous reply that the
certification and assurance of the certificaqtion can be independent of
the way that certification is represented. in the past for the offline
world ... having a stale, static certificate representing that
certification was useful ... because there was no way of obtaining
real-time, online certification information. with ubuquitous online
availability, there has been more and more transition to real-time
online certification represwentation especially as the values involved
increases (frequently the real-time, online certification representation
can involve higher quality and/or more complex information ... like
real-time aggregated information ... which is rather difficult with a
stale, static represnetation creaed at some point in the past)

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list