But the only business purpose for certificates is for trust propogation
associated with offline operations (where the relying party has no access
to the real and timely information and therefor must make do with stale,
static copies).
In the payment card scenario .... the merchant
1) doesn't need the public key since it relies on the issuer for an online
authentication & authorization
2) the account number is already part of the transaction
3) the account number already routes to the issuer
4) doesn't need the issuer's signature on a ceritifcate since it doesn't
need the contents of the certificate and therefor doesn't need a signature
on something that it doesn't need
the merchant needs what's defined in X9.59 ... i.e. the data elements of
the transaction and the customer's signature on the transaction ... all for
forwarding to the issuer.
http://www.garlic.com/~lynn/index.html#x959
so that is the 3rd party scenario.
also, as previously outlined .... the issuer doesn't need a copy of the
issuer's certificate since the issuer already has the original and therefor
it is redundant and superfluous for the customer to send a copy of
something back to the issuer where the issuer has the original. If you
prefer, the description of of how to handle zero byte certificates;
http://www.garlic.com/~lynn/aepay2.htm#position
also how it is redundant and superfluous to transmit relying-party-only
certificates back to the relying-party (i.e. since the issuing institution
already had the original)
http://www.garlic.com/~lynn/subtopic.html#rpo
however the original thrust of the postings was to do with the foundations
of "trust" ... as opposed to the foundations of "trust propogation" ....
certificates are a method of popogating trust .... which is a separate
business issue from establishing trust with regard to the validaty of
electronic signatures.
A digital signature can be viewed as part of a business process for
establishing the basis for the business process of electronic signatures,
specifically the authentication part of establishing electronic signatures.
Legal electronic signatures require (at least) things like
* authentication
* non-repudiation
* demonstration of intent and/or agreement
Authentication can be thought of in the context of three factor
authentication:
* something you have
* something you know
* something you are
So an electronic signature trust taxonomy
* authentication
- something you have
- something you know
- something you are
* non-repudation
* demonatration of intent and/or agreement
Now I see no play where certificates play in the above trust taxonomy.
Assuming the basis for electronic signature trust operation can be
established .... then in business process that need "trust progation" in an
offline environment where the relying-party has no other recourse, then
one could conjecture the business process need for a stale, static
credential like a certificate. previous posting
http://www.garlic.com/~lynn/aadsm15.htm#32
As per above .... it is pssobile to establish a digital signature
infrastructure which can be used to infer "something you have" (like an
encrypted private key software file or a private key hardware token) and
possibly "something you know" (an PIN to access the private key that
performs the digital signature). There is even a possibility for digital
signature infrastructure that can be used to inferr "something you are"
(i.e. a certified hardware token that does digital signatures, but requires
biometric input). Again there is no concept of a certificate and trust
propogation associated with the use of digital signatures to establish the
basis of authentication as part of a electronic signature trust business
process. Do you know where certificates infrastructures mention
three-factor authentication and/or anything to do with "something you have"
and/or "something you know" operations? Certificates have to do with the
business process of "trust propogation" for offline environment where the
relying party has no other recourse. They appear to have little or nothing
to do with the actual business process of "trust" and establishing the
legal acceptable basis for business process of electronic signatures.
My perception is that e-government is an attempt to establish an online
infrastructure, where-as certificates address the business process of
establishing an offline infrastructure (where there is no recourse to
online and/or timely information). One might even make that the assertion
that demanding the creation of constructs that satisfy business
requirements for offline infrastructure only confuses and and probably
actually obstructs the establishment and understanding of what the
fundamental constructs are needed for online business processes.
--
Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm
[EMAIL PROTECTED] on 11/2/2003 2:23 am wrote:
No, they work as a convenient "handle" to both the citizen and to
the issuers using various revocation mechanisms. To have a
unique relation with thousands of authorities is impossible from
an economic point of view no matter how good it may be.
But there is indeed a certain redundancy in certificates!
It would be technically enough that a signature contained
1) the public key
2) a claimed ID (account number=
3) a link to the issuer
4) the signature itself
But this reduction of data would not have such a dramatic impact as
far as I can see. Well, it would delay the introduction of e-government
services a few years of course.
