On Fri, 2005-07-22 at 17:58 -0400, Alan DeKok wrote:
You need at least a two-level reputation service. One which
interacts with customers, and the other which certifies the reputation
services. This structure has been demonstrated to solve a lot of
issues with abusive and/or corrupt reputation services.
There is a conflict of interests which may erode the integrity of what
is typically described as accreditation. When the revenue stream is
primarily from senders, then these services will likely respond to the
desires of the senders. When the revenue stream is primarily from the
recipients, then services will likely respond to the desires of the
recipients. There is often a large difference between these two
desires.
Having said that, there may be an additional role to supplement the
basic trustworthiness of the communication. Such a service could be
used in conjunction with recipient based services, as a check against
the sender based service. Verifying keys comes to mind which is
typically the role of a CA. A CA will normally worry about getting
paid, and by whom. They are typically more concerned about getting the
'by whom' part right to protect their reputation as a CA.
Rather than just using a lock icon to indicate security, each CA should
offer their own short-cut icon that prefixes the name being validated.
|
---------------------
| CA | example.com |
------------------------
This information should appear without expecting the user to investigate
the source of the certificate. These two pieces of information can be
used together. A CA run by the FDIC for example, should know who are
the banks. You as a consumer, may want to know what is the better bank
to do business with, which will require a different service that offers
information on behalf of the consumer rather than the bank.
-Doug