>given the foundation for strong demonstration of authentication and strong >demonstration of intention and non-repudiation .... then one might consider >certificates as mechanism for trust propogation for the benefit of relying >party strangers (assuming an unconnected, offline infrastructure where the >relying party stranger has no prior knowledge of the signing entity and/or >no recourse for contacting the certifying authority) ....
This is not how it works in real life. Thousands of relying parties representing various e-government authorities do not consider citizens as strangers and hopefully not the reverse either. These authorities all share a common citizen-ID but may or may not exchange citizen information with other authorities belonging to the same "domain" (country). >but the existing certificates do little or nothing to address the >level of trust in the authentication mechanism and/or the level >of trust in the non-repudiation mechanism. No, they work as a convenient "handle" to both the citizen and to the issuers using various revocation mechanisms. To have a unique relation with thousands of authorities is impossible from an economic point of view no matter how good it may be. But there is indeed a certain redundancy in certificates! It would be technically enough that a signature contained 1) the public key 2) a claimed ID (account number= 3) a link to the issuer 4) the signature itself But this reduction of data would not have such a dramatic impact as far as I can see. Well, it would delay the introduction of e-government services a few years of course. a few past threads related to 3-factor authentication: http://www.garlic.com/~lynn/aadsm10.htm#bio6 biometrics http://www.garlic.com/~lynn/aadsm10.htm#keygen2 Welome to the Internet, here's your private key http://www.garlic.com/~lynn/aadsm11.htm#5 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm12.htm#24 Interests of online banks and their users [was Re: Cryptogram: Palladium Only for DRM] http://www.garlic.com/~lynn/aadsm14.htm#23 Maybe It's Snake Oil All the Way Down http://www.garlic.com/~lynn/aadsm14.htm#39 An attack on paypal http://www.garlic.com/~lynn/aadsm15.htm#25 WYTM? a few past threads specifically related to non-repudiation: http://www.garlic.com/~lynn/aadsm11.htm#5 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm11.htm#6 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm11.htm#7 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm11.htm#8 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm11.htm#9 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm11.htm#11 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm11.htm#12 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm11.htm#13 Words, Books, and Key Usage http://www.garlic.com/~lynn/aadsm11.htm#14 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm11.htm#15 Meaning of Non-repudiation -- Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm [EMAIL PROTECTED] on 10/31/2003 2:18 am wrote: http://www.fineid.fi/default.asp?todo=setlang&lang=uk this is a link to an interesting multimedia presentation on the Finnish government - banks - telcos joint project on using the government produced certificate on bank and telco issued cards. Pekka Honkanen -----Alkuper�inen viesti----- L�hett�j�: Anders Rundgren [mailto:[EMAIL PROTECTED] L�hetetty: 30. lokakuuta 2003 23:46 Vastaanottaja: internet-payments Aihe: On-line signature standards Here is some information related to Internet payment gathered from a poll made to the IETF-PKIX, IETF-SMIME, and the OASIS PKI-TC lists regarding the current state of on-line signature standards ===================================================== There are apparently no standards and nothing in the works either with respect to signing on-line data on the web using Internet browsers. ===================================================== Since web-signing is today [*] used by many, many, more people and organizations than there are users of signed e-email, I remain puzzled. Is the PKI community really just a bunch of "nerds", mostly out of touch with the needs of the market? And what good is a legal framework like the EU signature directive, intended to address "legal interoperability" if there is no interoperability in the technical solutions? "The truth is [still] out there" to travesty a famous TV series. However, my request spurred quite a lot of interest, so I believe that web- signing really is a thing that finally will be standardized. The question is more by who, as the major interest is really coming from the public sector, not from commercial entities like banks, that rather protect their investments in proprietary solutions. I personally plan to pusue such a task in W3C or in OASIS in case somebody is interested. *] Like Scandinavian banks having > 0.5M of users. All current systems rely on entirely proprietary mechanisms. Most of the vendors even require NDAs for getting the documentation. Anders Rundgren
