[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

The Carl & Bob show

Since Carl invited me to comment on his summary of our discussion, I hope he
won't mind my responding publically to his most recent off-list question:

>Bob, to what extent are you thinking of a commercial CA "ID certificate" as

a poor man's approximation to a national ID #, in a nation that won't permit

national ID #'s?

Good question.

Of course, CA's don't issue "ID certificates" per se, but they do at least
tend to include locality information which approximates something like an
"identity", at least in some people's view.

I was thinking about our discussion last night, and wanted to redirect or
restate my thoughts slightly along these very lines.

Although I believe that a globally unambiguous name is desirable, and using
either geographical or other forms of name qualification, including street
address if necessary, is not particularly difficult to do, it isn't an
absolute requirement that a name be globally unambiguous.

If there should just happen to be a Robert R. Jueneman who is a sheep herder
in New Zealand,  in all probability that individual is not likely to be
confused with the fellow who writes all of the quasi-legal stuff on several
PKI e-mail lists. Of course, as international electronic commerce becomes
increasingly common, that degree of global unambiguity will become
increasingly important.

It isn't even absolutely necessary that the name be particularly convenient
or user-friendly, although that is of course desirable.  If someone named
say Paula Jones doesn't want to include her street address in her
certificate, she may use a distinguished name that consists of her common
name plus the name of her CA plus a unique ID assigned by that CA, or maybe
even her name plus a message digest of her birth certificate. If the
residence address isn't listed, however, then the CA probably has an
obligation to maintain records that could be subpoenaed, if necessary, and
if they don't, then relying parties would be well advised not to accept that
kind of a certificate for anything important.

It happens, however, that there is a Robert Jueneman (different middle name)
who lives in Aurora, Colorado. (Interestingly,  his daughter spells her name
Tracie, whereas mine spells her Tracey -- how's that for a coincidence?) 
Now suppose that the Colorado Jueneman were to order something intangible
(not using SET, so we don't confuse things too much) and digitally signs the
order and promises to pay, but later repudiates the transaction saying that
he never ordered anything.

The merchant would like to get paid, and if necessary is willing to take
legal action.  But against whom, and how?  You can't send the sheriff down
the wire into cyberspace to arrest someone, and even before things get that
far, it is probably necessary to serve legal notice on someone demanding
that they pay you.

I don't know for certain, but I rather doubt that it would be effective to
serve legal notice to an e-mail address.  The technology is too new to
deserve the presumption of delivery that applies to mailing something
through the US Mail, and generally there isn't the equivalent of Certified
or Registered Mail, where a legal signature confirming receipt can be

So one way or the other, the merchant needs to know where I reside, or at
least a postal address where legal notices can be sent with a very high
probability of being received. (I may not read them, or even pull them out
of the mailbox, but then I am negligent.)  This is not only true of
individual citizen/consumers, but of organizations as well -- corporations
that are registered as doing business within a given state have to have a
legal address for service of process.  And of course if someone wants to
physically arrest me, it is handy to know where I routinely return to go to
bed at night.

None of this really has too much to do with Carl's small town, circle of
friends name recognition paradigm. Indeed, I may be using an assumed name,
and everyone in town but the Postmaster may know me by my nom de plume. That
doesn't matter, as long as there is something that ties back my "official"
name (the one I use for digital signatures and electronic commerce) to some
address of record.

Now, does that make a VeriSign certificate that lists my address the same as
a national ID card?  No, it doesn't, for a number of reasons.

First of all, no matter how carefully VeriSign checks my bona fides, there 
is no way that one of their certificates is going to keep me from being
deported if I am an illegal alien, whereas a national ID card would
presumably be the equivalent of a mandatory passport, and would therefore
prove citizenship.  (Anyone without one might be subject to deportation,
especially if their name were Julio and they had a rather brown skin.)

Likewise, a VeriSign certificate is probably not going to be accepted as a
basis for allowing a person to vote, or to collect a Social Security Check,
or MediCare benefits, or even proof that you are allowed to drive or buy
alcohol or tobacco.

So in that sense it isn't the same as even a state ID card.  More to the
point, the state-issued ID card is probably required to get the VeriSign
certificate, rather than the other way around.

And finally, and perhaps most importantly, even a state driver's license
isn't mandatory, although most of the proposals for a national ID card would
be mandatory.  You may not be able to drive a car, cash a check, or
effectively participate in a lot of the other benefits of our society, but
those are privileges, and not rights.

So the bottom line for what might constitute an identity certificate isn't
the name that is conventionally used in social discourse, but rather the
correspondence between whatever more or less "formal" name is used for
commerce and the name and address of record.

Bob (my nom de plume or handle)

(AKA Robert R. Jueneman -- the official name of the one who lives in Utah
and works for Novell.)

Robert R. Jueneman
Security Architect
Novell, Inc.
Network Services Division
122 East 1700 South
Provo, UT 84604

"If you are tring to get to the moon, climbing a tree, 
although a step in the right direction, will not prove 
to be very helpful."

"The most dangerous strategy is to cross the chasm in two leaps."