Some thoughts on high-assurance certificates

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Oct 31 08:38:34 EST 2005 

A number of CAs have started offering high-assurance certificates in an
attempt to... well, probably to make more money from them, given that the
bottom has pretty much fallen out of the market when you can get a standard
certificate for as little as $9.95.  The problem with these certificates is
that, apart from the fact that the distinction is meaningless to users (see
work by HCI people in this area), they also don't fit the standard CA business
processes.  CAs employ people whose job role, and job expertise, lie in
shifting as much product as possible as quickly as possible (as has already
been demonstrated in the race to the bottom for supplying standard
certificates), not in enforcing PKI theology on their clients.

There are only a very small number of people who understand the theology
behind certificates sufficiently to be able to explain the motivation behind
the various steps in the process of issuing them, and none of them are going
to be employed in doing certificate checking for CAs.  Instead, the task will
be managed by, and performed by, the same people who spam everything in the US
that has a pulse with pre-approved credit card applications, loans, and
similar items.

Here's a real-world example of this process in action.  A user approached a
large public CA for a high-assurance certificate and specifically requested
that his identity be checked thoroughly via his hard-to-forge paper documents.
The CA did the usual standard-assurance checking (whois lookup, email to the
whois contact address, caller ID check on the calling number, all easily
spoofed), and then announced that the user had been pre-approved for the high-
assurance certificate, *before* the user had supplied his authenticating
documents.  Made perfect sense, they'd done the equivalent of running a credit
check before pre-approving a credit card or loan or whatever. Their proactive
service and rapid attendance to the customer's needs put them ahead of the
competition...

... except that this isn't something like a standard credit-check business.
The user tried explaining this to the CA employees doing the checking, but
they just didn't understand what the problem was.  They'd done everything
right and provided outstanding service to the user hadn't they?

And therein lies the problem.  The companies providing the certificates are in
the business of customer service, not of running FBI-style special background
investigations that provide a high degree of assurance but cost $50K each and
take six months to complete.  The same race to the bottom that's given us
unencrypted banking site logons and $9.95 certificates is also going to hit
"high-assurance" certificates, with companies improving customer service and
cutting customer costs by eliminating the (to them and to the customer)
pointless steps that only result in extra overhead and costs.  How long before
users can get $9.95 pre-approved high-assurance certificates, and the race
starts all over again?

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list