[Fwd: Netscape, CAs, and Verisign]

Peter Williams peter at verisign.com
Mon Jan 29 19:39:50 PST 1996



>I'd like to see a less centralized CA that's tied into the existing system
>of notaries.  The idea is to make it necessary to spoof a notary in order
>to spoof the CA.  That won't make spoofing the CA impossible (nothing
>will), but it will make spoofing the CA illegal. 

You might wish to look at the Apple DigiSign design. RSA DSI ran a CA
under contract as a notary enrollment system for 2 years. The people from
RSA DSI,
now at Verisign, have a certain amount of experience with this system.

I dont understand how you intend to make CA spoofing illegal. Who
who perform the enforcement? (By illegal, I assume you mean that
there is a criminal offence involved, rather than a tort.)

>
>A notary could apply to the CA for the right to work as an agent, for a
>nominal fee (<$100/year).  Only notaries could be agents.  If a person
>wants a certificate, they'd come in and present ID and a key to the
>notary/agent.  The person would have to present a form document stating
>that he's requesting the cert.  The notary would stamp the form and affix
>a signature to the key which would enable it to be processed automatically
>by the CA. 

This has been tried, and many certificates issued under a variant
of this scheme. it seems likely that only an ABA-certified notary
would be reasonaby secure from professional liabilities. Good
efforts have been made to qualify what the professional procedures would
be. 


>
>Fees for the whole procedure ought to be less than $30.  The CA ought to
>operate off of the fees from the agents as a non-profit organization, and
>the agents ought to keep the fees paid by the people requesting the
>certificates.

Notary fees might be best controlled by the notary, not the CA. Seems
an unreasonable restriction of trade to price-fix, even at the low-end.


>
>Would any of the lawyers on the list be willing to comment on whether or
>not it's possible or practical to tie a CA into the notary system?  Does
>anyone have any thoughts as to how difficult/risky spoofing my CA is
>compared to spoofing Netscape or Verisign? 

There is indeed a large body of legal ramifications in this
area. The best way to learn about it is to become a CA and do it. Risk
taking is part of being in the CA business, however you operate it,
even for free.

>
>I could put up a server and I think I know a laywer who would help me set
>up a non-profit organiation on a shoestring, but I don't want to do it if
>the plan is impractical.  

Running as a not-for-profit may not prevent general liability. You can
give the service away for free and will still be liable for the
mis-representations you or your agents make. There are DARPA reports written
about
the issue (though these do not usually constitute advice.)

>
>Morevover, although I don't think it's reasonable to expect Netscape to
>agree to include a non-existent CA in their browsers sight unseen, at the
>same time it doesn't seem smart to sink money into setting up the CA
>without some indication from Netscape that they're willing to give the
>idea good faith consideration. 

Navigator betas seem to already facilitate users configuring their own
trust points in a manner rather similar to adding a key to your
personal PGP keyring.

IBM browsers allow formal configuration of trust points.

CAs as a business and economic growth area are just happening. We have
two declared companies; Verisign and GTE. I personally expect another
10-20 to declare soon. The large (phone company) networks seem to
be where the current action is, followed by the large accounting firms. As
a small software company, I personally back the other similarly
small software companies making and selling organizational CA
systems to help people manage their own community of interest as
they see fit.







More information about the cypherpunks-legacy mailing list