At 02:55 PM 1/29/96 -0500, Peter Williams wrote, in response to Alex:
I'd like to see a less centralized CA that's tied into the existing system of notaries. The idea is to make it necessary to spoof a notary in order to spoof the CA. That won't make spoofing the CA impossible (nothing will), but it will make spoofing the CA illegal. ... I dont understand how you intend to make CA spoofing illegal. Who who perform the enforcement? (By illegal, I assume you mean that there is a criminal offence involved, rather than a tort.)
Is providing false documents to a notary criminal fraud, or only civil?
Fees for the whole procedure ought to be less than $30. The CA ought to operate off of the fees from the agents as a non-profit organization, and the agents ought to keep the fees paid by the people requesting the certificates.
Notary fees might be best controlled by the notary, not the CA. Seems an unreasonable restriction of trade to price-fix, even at the low-end.
Notary fees can be agreed contractually between the notary and the CA; if they want to do a list price / street price system, or a non-profit, or a dog-eat-capitalist-running-dog competitive system, the market can let you pick your favorites.
There is indeed a large body of legal ramifications in this area. The best way to learn about it is to become a CA and do it. Risk taking is part of being in the CA business, however you operate it, even for free.
Morevover, although I don't think it's reasonable to expect Netscape to agree to include a non-existent CA in their browsers sight unseen, at the same time it doesn't seem smart to sink money into setting up the CA without some indication from Netscape that they're willing to give the idea good faith consideration. Navigator betas seem to already facilitate users configuring their own trust points in a manner rather similar to adding a key to your personal PGP keyring.
Letting the user decide whom to trust certainly seems like the best approach, and makes it possible to build a Web of Trust on top of Netscape rather than being stuck with hierarchical certifications. Meanwhile, if Netscape wants to sell the top two slots in their CA list to the highest-bidding advertiser like they do with searchers, they still can. #-- # Thanks; Bill # Bill Stewart, stewarts@ix.netcom.com, Pager/Voicemail 1-408-787-1281 # http://www.idiom.com/~wcs