A crazy thought?

Anne & Lynn Wheeler lynn at garlic.com
Sat Jun 9 16:27:21 EDT 2007

http://www.garlic.com/~lynn/aadsm27.htm#22 A crazy thought?

for some other topic drift regarding certification authorities ... having been certification
authorities for "digital certificates" targeted at the (electronic but) "offline" market
... they encountered a number of issues in the mid-90s as the world was transitioning
to ubiquitous online operation ... the digital certificates were somewhat targeted for
relying parties ... dealing with total strangers (that they had no prior information
about) and had no timely mechanisms for directly contacting any authorities for
references regarding the stranger.

so one of the issues for x.509 identity certificates ... small x-over from this
other thread
http://www.garlic.com/~lynn/aadsm27.htm#25 Why self describing data formats

was to try and move out of the no-value market into the identity market ... aka ...
as world transitioned to ubiquitous online operation ... the remaining "offline"
was "no-value" situations where the relying-party couldn't justify the cost of
maintaining information about the parties that they dealt with (aka something
analogous to browser "cookies") and/or couldn't justify the cost of directly
contacting responsible agencies for information about the parties they were deailing

now in this recent thread ... somewhat about some internet historical 
http://www.garlic.com/~lynn/2007l.html#67 nouns and adjectives
http://www.garlic.com/~lynn/2007l.html#68 nouns and adjectives
http://www.garlic.com/~lynn/2007l.html#69 nouns and adjectives
http://www.garlic.com/~lynn/2007l.html#70 nouns and adjectives

the last posts drifts into the subject of some of the recent "churn" around
"identity" activities ... also lengthy post on the subject here:
http://www.garlic.com/~lynn/aadsm27.htm#23 Identity resurges as a debate topic

the certification authorities were somewhat looking at increasing the
value of x.509 identity digital certificates (since there wasn't a lot
of future selling into the no-value market segment) by starting to
grossly overload the digital certificates with enormous amounts of
personal information.

now typically "identity" has been a "authentication" characteristic ...
adding potentially enormous amounts of personal information could be considered 
attempting to move into the "authorization" area ... where a relying-party might
be able to make a authorization, approval, and/or permission decision purely based
on the additional personal information in the digital certificate.

what was seen by the mid-90s was that many of the institutions were
starting to realize that x.509 identity digital certificates, grossly
overloaded with personal information represented significant privacy
and liability issues. what you saw then was a retrenchment to purely
"authentication", relying-party-only digital certificate

with the digital certificate containing little more than a record
locator (where all the necessary information was actually kept, even real-time,
and aggregated information ... which is difficult to achieve in a stale,
static digital certificate paradigm) and a public key ... note, however, 
we could  trivially show that in such situations the stale, static digital 
certificate was redundant and superfluous ... aka just add the public key to the
entity's record ... which already had all the personal, private and
other information necessary for "authorization". in the payments
market segment ... this is somewhat separate from the fact that
the appended stale, static, redundant, and superfluous digital
certificates were causing a factor of 100 times payload and processing

one of the other problems faced by certification authorities attempting
to move "identity" digital certificates into the "authorization" market
segment was what (with loads of personal information), if any, liability 
were certification authorities going to accept with regard to "authorization" 
problems encountered by the relying-parties (depending on the digital
certificate personal information in their decision making process).

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list