[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure Authentication
Robert A. Costner writes:
> Electronic Frontiers Georgia is forming a working group on Secure
> Authentication Methodologies. This is the procedure for verifying who really
> owns the public key that has been placed in a database repository, or
> Certification Authority (CA). Issues at question are not only the technical
> considerations, but also concerns of privacy, consumer protection, and
> legality. Questions have arisen as to whether to use picture ID, notary
> publics, existing databases, and governments to enforce secure
> authentication. Another question that has been raised is secure
> authentication possible at all?
And another question is should government be involved at all?
My answer to that is no, not for the setting of CA policy.
It should be up to the CA, as published in their policy, what
authentication if any they perform in order to issue a certificate.
There is a need for certificates that are closely tied to someone's True Name
and there is a need for certificates that do nothing except verify
that a given email address is unique in that CA's list.
I would oppose any laws that require a certain level of
"secure authentication" of CAs. Especially since, as your question
hints, there IS no secure authentication available to all citizens-
drivers licenses and birth certificates and Social Security cards
are all readily forged. All authentication is relative.
I would not be opposed to laws that penalized a CA for breaking
the terms of its published policy. However I expect that existing
contract law would cover that, since the policy is essentially a
contract between the CA and the cert issuee.
The biggest problem with CAs and the law is legal liability. The liability
of being a CA is currently unknown until there is case law on the topic.
I think that one way of looking at CA liability would be to consider it
to be similar to an insurance policy with a limited maximum liability.
A CA who issued low-assurance unique email address certificates might
limit its liability to $10, whereas a CA who issued a high-assurance
37-forms-of-ID-and-a-retina-scan True Name certificate might limit
its liability to $100M (or maybe unlimited). These liability limits
would of course have to be stated in the CAs policy.
Being able to limit liability on their own would allow the market
to choose how much assurance a certificate for a given transaction needs.
For CAs, it would allow them to insure themselves.
It would be trivial to add an 'assurance' field to standard X.509
certificates so parties to a transaction wouldn't need to read
the CAs policy statement to learn how much a given certificate was 'worth',
i.e. how far the CA is prepared to back it.
--
Eric Murray [email protected]
Network security and encryption consulting. PGP keyid:E03F65E5