[Cryptography] "Trust in digital certificate ecosystem eroding"

Anne & Lynn Wheeler lynn at garlic.com
Thu May 7 12:56:08 EDT 2015

Note the CA industry was floating a $20B/annum business plan on wallstreet for personal digital certificates ... paid for by the financial industry.

The CA industry had sold the wonders of digital signatures (along with requiring digital certificates) to the financial industry for "safe" financial transactions. Understanding liability, People in the financial industry had slightly modified the process to "relying party only" digital certificates. The result was that the financial industry would register an account owner's public key in their account record. The process then would have the financial industry transmit a copy of the account database to a CA, which would swizzle each account record bit pattern into a digital certificate and only charge $100/account. Some number of institutions spent tens of millions on pilots before it was raised to the board level the CA @account charge. One typical case of financial institution with 14M accounts, the board was told that CAs would only charge $1.4B for this great new facility ... resulting in the pilot (have already spent several tens of millions) being shutdown and the peop
 le respon
sible freed from their jobs.

I would also make the point that the relying-party-only certificates were redundant and superfluous ... since the financial institution (relying party) already had the public key on file in the account record. I also made a point that a typical credit card transaction payload size was 60-80 bytes. Appending digital certificates to every transaction would add 6kbyte-12kbytes to every transaction ... a factor of 100 times size bloat (for something that was redundant and superfluous).

Ignore the redundant & supefluous comments, a financial industry standards body took up a work item for "compressed" digital certificates ... looking for a factor of ten times reduction (so size bloat would only be ten times instead of 100 times). Part of their approach was to eliminate all fields that the relying party would already have. I was able to demonstrate that the relying party would already have all fields, so a digital certificate could be compressed to zero bytes. Then rather than working for the elimination of all digital certificates as redundant and superfluous ... work for the mandated appending of zero byte digital certificates on every transaction.

virtualization experience starting Jan1968, online at home since Mar1970

More information about the cryptography mailing list