A
... Well, I think there may be a few ways to go at it that differ from the current draft. My concern was more with the communications paths used rather than an objection to the use of the threshold scheme.
But, your suggestion of direct communication only between the BI and the user causes the problems I noted, unless we add the encryption mechanism suggested by David Cooper, which itself is an example of added complexity :-)
... I'm not sure I follow that - how does the scheme show the CA is taking precautions? The entities involved could still collude regardless of the scheme, or could honestly not collude even if no threshold scheme were used.
It is true that an honest TAC CA could do all of this even without the AI/BI split. That's not the issue. The motivation for having the AI/BI split is to make it easier to show to a third party (and to convince prospective users) that IF the TAC CA operates as described, then it is providing the conditional anonymity indicated. The details here are ones that a TAC CA would cite in its CPS. The split signing and threshold signature mechanism are ones that, if implemented properly, provide reasonable assurance of the desired separation. An auditor or evaluator of a TAC CA can verify that these mechanisms are being used, as part of an assessment.
The value of a document like this is that it provides those who perform audits (assessments, evaluations, ...) a guideline against which to measure a CA. This is analogous to what we did with RFC 3647, providing attorneys with a guideline for CP/CPS construction.
Deference? In the IETF? That's optimistic. ;-)
yes, but it is also reasonable. we have accorded some level of deference to folks who are more expert in a specific area that we are, the CP/CPS document and its reliance on lawyers is a good example.
However, since this is aimed at experimental I'd be fine if some text were added that pointed out the alternatives and the differences between the various flows. That way, the issue could be revisited if/when the spec were put on the standards track.
I think my co-authors at KISA have made enough revisions at this stage to satisfy comments. If someone wants to write another I-D that proposes alternatives, they are free to do so. After all, as you noted, this is a document declared to be experimental, so there is no harm in having more that one approach. If we find that one or more real CAs offer TAC services and choose to follow the model here, that supports this as a viable model. If no CAs do so, or if they object to the model and propose alternatives, that will support the contention that other approaches are superior.
Steve