pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Residential CAs and DN subordination

1993-09-20 09:29:00
from [jueneman] [Permanent Link] 
Ted,  I think you are mistaken. I believe that the RSA Unaffiliated User CA
is intended to be a CA under the RSA Commercial Hierarchy, and not a PCA 
by itself. But I also belive that it hasn't yet commenced operation, so there
may be some time left to correct this "problem," if it is one.

The basic issue, of course, is that there simply ISN'T any effective
civil naming authority currently in existance that is capable of tracking 
residential users.

  1.  The various States Department of Motor Vehicles COULD
       be used for this purpose, but with all of the pressure
       on local governments they are not at all likely to take
       on such a role.

  2. Various commercial and/or quasi-governmental agencies
      could take this on, including the Post Office, the electric
      company, or the local telephone company. So could banks
      and of course service companies such as RSA.

I would argue that even if the DMV or the Post Office were to
register individual users, their name should still appear as the naming
authority within the user's DN, in order to ensure global uniqueness,
to provide some kind of indication as to who performed the
due process necessary to establish the user's name.

I would therefore suggest that the correct form should be something
like 

C=US, O=GTE [or USPS, or RSA DSI, or California DMV],
OU=Residential Person CA [or OU=Customer],
State=California, localityName=Burbank, streetAddress=12345 El Camino,
CN=Johnny Carson

The problem, of course, is that it is only the content of the OU name
that would differentiate between such a residential person and an
employee of a company located at a field office with the same address.

One reason for having a commercial organization as a CA is that you
can sue them for negligence if they screw up the identiification of the
user, whereas  the DMV would cliam sovereign immunity. Of course, that
is why the CA's would try very hard to ensure that they didn't have any
liability.

One thing is pretty clear -- if users want the same kind of protection
against compromised keys that they have with credit cards, only a 
commercial organization such as a credit card company that receives
a percentage of the action is going to be able to afford the risks.

I believe that the ideal test case would be electronic filing of tax returns.
What type of identification, and what kind of liability protection would
be required to support such an application? Who should be the CA?
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [resend] Use of DNS to distribute keys, smb
Next by Date:  Re: [resend] Use of DNS to distribute keys, Beast (Donald E. Eastlake, 3rd)
Previous by Thread:  Re: Residential CAs and DN subordination, Theodore Ts'o
Next by Thread:  Re: Residential CAs and DN subordination, Alireza Bahreman
Indexes:  [Date] [Thread] [Top] [All Lists]