[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: The Carl & Bob show

>From: 	Bob Jueneman[SMTP:BJUENEMAN@novell.com]
>It happens, however, that there is a Robert Jueneman (different middle name)
>who lives in Aurora, Colorado. (Interestingly,  his daughter spells her name
>Tracie, whereas mine spells her Tracey -- how's that for a coincidence?) 
>Now suppose that the Colorado Jueneman were to order something intangible
>(not using SET, so we don't confuse things too much) and digitally signs the
>order and promises to pay, but later repudiates the transaction saying that
>he never ordered anything.
>The merchant would like to get paid, and if necessary is willing to take
>legal action.  But against whom, and how?  You can't send the sheriff down
>the wire into cyberspace to arrest someone, and even before things get that
>far, it is probably necessary to serve legal notice on someone demanding
>that they pay you.

This is perhaps a case of caveat emptor (where the merchant is the
"buyer" of the on-line service) or a case where we in this business need
to educate the public at large (our customers) as to what their risks
and responsibilities are, but....

If the merchant is going to accept electronic credentials and
electronically signed purchase orders, I would hope that the merchant
accept only those credentials that it knows were issued by CAs using
sound business models, including adequate client registration and due

I would then expect that the merchant would either obtain from the
customer's real physical address from the customer's CA, and would
dispatch the sheriff to that address.

In this instance, is the identity in the certificate not largely
irrelevant, or, more to the point, relevant only to the CA?  Is not a
global name-space in some ways completely beside the point, even for
X.509 certificates?

As a CA issuing certificates for use in electronic commerce, I issue a
certificate to you, using some DN to refer to you.  Before I issue that
certificate, though, I take down your driver's license number, credit
card numbers, address, and the usual things that I will need for a
reference or credit check, and I stick those in my my-use-only database.
 Once I'm satisfied that I can identify you adequately and that I have
done my job properly, I issue a certificate.

You use that to buy something.  You sign the PO with the private key
associated with that certificate.  You later repudiate it, saying that
it was really Robert Juenemann, or Roberto Juenemente, or someone else.
 Bzzt.  It is signed with your private key, and you did not send me a
report of key compromise (as per your certificate holder agreement), so
your on the hook.

All the merchant does is say to me "Look, here is the cert, here is the
signed PO, send out the sheriff".

At that point, the identity in the cert is almost irrelevant:  I can use
the certificate serial number to find you in my database, I locate your
physical address and credit information, and I send out the collection
agency.  Or whoever.

Is it perhaps the case that the identity-with-context that Carl refers
to is in some ways provided by the combination of issuer name, subject
name, and issuer public key?  Admittedly, this may only reduce the scope
of the problem (it is possible that two CAs will issue certificates with
the same subject name, and not have those be the same subject entity;
it is much less likely that those two CAs will have the same issuer
name;  in fact, I would think that any community in which they operate
would catch on to that pretty quickly).  So long as the CAs themselves
maintain adequate information about their subjects, is not the problem
of "no context for the identity" perhaps solved?  As a certificate user,
I will choose to do business - that is, accept a CA from - a CA that
enforces identity check policies and cross-certification policies that
are adequate to my needs and requirements.

And when any two organizations decide to cross-certify, they will
perform checks on each other which should result in uniquely identified
CAs (if I have cross-certified with Joe's CA Shop, and you have too, I
will likely either check that they are the same CA, or restrict the
validity of the cross-certificate I issued to you so that it can't be
used to get to "your" Joe).