[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Relieving CAs of 'ultimate responsibility' [was: Way forward - updating RFC 3161]
Stefan Santesson wrote:
Note that we have a very similar [role separation] situation with PKI.
The CA issues certificates, but in practice the CA will delegate the
signing to a “unit” and may delegate authorization of attributes to
“Registration Authority”. Still, the CA is ultimately the responsible
party and not any “unit” or other subordinate entity or process.
Ultimately, the CA is responsible for what exactly? In orthodox PKI, the
CA is responsible for everything, and hence we got ourselves into a
quagmire of unwieldy thick CPs, legal agreements and untold risks. This
despite the fact that most liabilities arise in mis-registration.
But there is a way to relieve CAs of many risks, and at the same time
simplify the legal principles, the user agreements and the PKI business
model: treat the CA like a Security Printer. Like a cheque printer, a CA
should only be responsible for the quality of the certificates (cheques)
but not their content.
See http://www.lockstep.com.au/library/pki/the_security_printer_model_fo.
Cheers,
Stephen Wilson
Managing Director
Lockstep Group
Phone +61 (0)414 488 851
www.lockstep.com.au <http://www.lockstep.com.au>
-------------------
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy. Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
-----------------------------------------------------------------------
* Finextra Innovation Showcase 2009
* ABC TV 'The New Inventors' Nov 2008
* Global Security Challenge Asia Top Five 2008
* Australian Technology Showcase 2008
* AusIndustry COMET Grant 2007