Re: [Fwd: Netscape, CAs, and Verisign]

[Peter Williams <peter@verisign.com>]

>I'd like to see a less centralized CA that's tied into the existing system
>of notaries.  The idea is to make it necessary to spoof a notary in order
>to spoof the CA.  That won't make spoofing the CA impossible (nothing
>will), but it will make spoofing the CA illegal. 

You might wish to look at the Apple DigiSign design. RSA DSI ran a CA
under contract as a notary enrollment system for 2 years. The people from
RSA DSI,
now at Verisign, have a certain amount of experience with this system.

I dont understand how you intend to make CA spoofing illegal. Who
who perform the enforcement? (By illegal, I assume you mean that
there is a criminal offence involved, rather than a tort.)

>
>A notary could apply to the CA for the right to work as an agent, for a
>nominal fee (<$100/year).  Only notaries could be agents.  If a person
>wants a certificate, they'd come in and present ID and a key to the
>notary/agent.  The person would have to present a form document stating
>that he's requesting the cert.  The notary would stamp the form and affix
>a signature to the key which would enable it to be processed automatically
>by the CA. 

This has been tried, and many certificates issued under a variant
of this scheme. it seems likely that only an ABA-certified notary
would be reasonaby secure from professional liabilities. Good
efforts have been made to qualify what the professional procedures would
be. 


>
>Fees for the whole procedure ought to be less than $30.  The CA ought to
>operate off of the fees from the agents as a non-profit organization, and
>the agents ought to keep the fees paid by the people requesting the
>certificates.

Notary fees might be best controlled by the notary, not the CA. Seems
an unreasonable restriction of trade to price-fix, even at the low-end.


>
>Would any of the lawyers on the list be willing to comment on whether or
>not it's possible or practical to tie a CA into the notary system?  Does
>anyone have any thoughts as to how difficult/risky spoofing my CA is
>compared to spoofing Netscape or Verisign? 

There is indeed a large body of legal ramifications in this
area. The best way to learn about it is to become a CA and do it. Risk
taking is part of being in the CA business, however you operate it,
even for free.

>
>I could put up a server and I think I know a laywer who would help me set
>up a non-profit organiation on a shoestring, but I don't want to do it if
>the plan is impractical.  

Running as a not-for-profit may not prevent general liability. You can
give the service away for free and will still be liable for the
mis-representations you or your agents make. There are DARPA reports written
about
the issue (though these do not usually constitute advice.)

>
>Morevover, although I don't think it's reasonable to expect Netscape to
>agree to include a non-existent CA in their browsers sight unseen, at the
>same time it doesn't seem smart to sink money into setting up the CA
>without some indication from Netscape that they're willing to give the
>idea good faith consideration. 

Navigator betas seem to already facilitate users configuring their own
trust points in a manner rather similar to adding a key to your
personal PGP keyring.

IBM browsers allow formal configuration of trust points.

CAs as a business and economic growth area are just happening. We have
two declared companies; Verisign and GTE. I personally expect another
10-20 to declare soon. The large (phone company) networks seem to
be where the current action is, followed by the large accounting firms. As
a small software company, I personally back the other similarly
small software companies making and selling organizational CA
systems to help people manage their own community of interest as
they see fit.