My first reaction is that "certification authority" is the term used in
CCITT Recommendation X.509, which is why we chose it. "In order for a
user to trust the authentication procedure, it must obtain the other user's
public key from a source that it trusts. Such a source, called a
certification authority (CA), uses the public key algorithm to certify the
public key producing a *certificate*. The ICA will certifiy that a given
public key belongs to the Policy Certification Authority named in the
certificate signed by the ICA. Furthermore, I assume, the ICA will itself
publish, as an RFC, its own signed policy, it which it says this, and in
which it specifically denies any other representations regarding the PCA,
except that the PCA has paid the required fee, etc. as explained in the
published ICA policy. I am opposed to allowing lawyers to create confusion
by inventing terminology that conflicts with established international
standards.
After discussions with legal counsel, it has been strongly
recommended that the term Internet Certification Authority
be amended if it is to be associated with the Internet Society.
The problem revolves around the term "certification" which
could be construed to imply some kind of guarantee with respect
to the agent whose certificate is signed by the Internet Society.
There are potential liabilities associated with any such implied
certifications and it is thought that an alternative term such
as Internet Certificate Registration Authority or something using
the neutral term "registration" would be a material improvement.
Please let me know your thoughts and reactions.
thanks,
Vint