Robert A. Costner writes:
Electronic Frontiers Georgia is forming a working group on Secure Authentication Methodologies. This is the procedure for verifying who really owns the public key that has been placed in a database repository, or Certification Authority (CA). Issues at question are not only the technical considerations, but also concerns of privacy, consumer protection, and legality. Questions have arisen as to whether to use picture ID, notary publics, existing databases, and governments to enforce secure authentication. Another question that has been raised is secure authentication possible at all?
And another question is should government be involved at all? My answer to that is no, not for the setting of CA policy. It should be up to the CA, as published in their policy, what authentication if any they perform in order to issue a certificate. There is a need for certificates that are closely tied to someone's True Name and there is a need for certificates that do nothing except verify that a given email address is unique in that CA's list. I would oppose any laws that require a certain level of "secure authentication" of CAs. Especially since, as your question hints, there IS no secure authentication available to all citizens- drivers licenses and birth certificates and Social Security cards are all readily forged. All authentication is relative. I would not be opposed to laws that penalized a CA for breaking the terms of its published policy. However I expect that existing contract law would cover that, since the policy is essentially a contract between the CA and the cert issuee. The biggest problem with CAs and the law is legal liability. The liability of being a CA is currently unknown until there is case law on the topic. I think that one way of looking at CA liability would be to consider it to be similar to an insurance policy with a limited maximum liability. A CA who issued low-assurance unique email address certificates might limit its liability to $10, whereas a CA who issued a high-assurance 37-forms-of-ID-and-a-retina-scan True Name certificate might limit its liability to $100M (or maybe unlimited). These liability limits would of course have to be stated in the CAs policy. Being able to limit liability on their own would allow the market to choose how much assurance a certificate for a given transaction needs. For CAs, it would allow them to insure themselves. It would be trivial to add an 'assurance' field to standard X.509 certificates so parties to a transaction wouldn't need to read the CAs policy statement to learn how much a given certificate was 'worth', i.e. how far the CA is prepared to back it. -- Eric Murray ericm@lne.com Network security and encryption consulting. PGP keyid:E03F65E5