i was not so much seeing this part of the thread as what to build .... but what were some of the constitute components and driving factors of the operational infrastructures (aka was it possible for government to mandate stale, static certificates even if it made no economic sense in a rapidly evolving online world).
we've had somewhat related activity in the standards privacy working group. the surface analysis was to take the existing privacy regulation and legislation and codify it. the behind the scenes analysis from 1999 was that driving factors in privacy related regulatory and legislative activity was 1) identity theft and 2) (institutional) denial of service. There would continue to be a lot of regulatory and legislative activity as long as there was identity theft and/or denial of service happening (basically some fundamental economic driving issues). Some amount of this activity suspended in the wake of 9/11 but didn't disappear. In the recent march timeframe, the prediction was a lot of the regulatory and legislative privacy related activity would start to see a lot more action by the summer .... which appears to be coming to pass. Which then somewhat gets things back to the subject line of confusing all kinds of things with identification. The x9.59 scenario with respect to being agnostic with respect to privacy is that the integrity of a payment transaction can be significantly raised at the same time removing any ancillary need for shared-secrets and/or privacy information in conjunction with the payment. There was a reference to GSA (a government entitty) resorting to bilaterial contracts with all of the individual entities (TTP CAs and relying parties) in attempt to provide stale, static certificates some legal foundation. Rather than forcing all relying parties to have individual contracts with each and every TTP CA ... they effectively made all of the TTP CAs agents of the GSA (via contract) and then every relying party had contract with GSA. This addressed the requirement for N times M individual contracts (as in the discussion of some parts of the world ... which scales poorly in situation where N times M equals 120 billion). -- Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm [EMAIL PROTECTED] 6:29/2003 12:51 pm wrote: I would not try to build a single system that could handle value transfers for regular business use and for government payments. The major reason is the legal liability. Business contracts typically involve civil penalties. Government mandates, and our responses to them, typically involve criminal penalties. In the business case identity is seldom necessary for transactions that do not involve real-estate. In fact the increasing concern for privacy somewhat mandates that user's can limit the data transfered about themselves. This is where account-based transactions should be targeted. In the government case identity is nearly always required by law or regulation, and privacy is typically not available. I believe that payments from purchasers to merchants is the problem that we have some chance of solving here. Government payments will be mandated and will probably not be designed for any of the purposes that business desires. Let's focus on what we can effect.
