[2445] in cryptography@c2.net mail archive
Re: "ABA" beomes root CA for financial services industry
daemon@ATHENA.MIT.EDU (Robert Hettinga)
Fri Apr 3 19:08:19 1998
Date: Fri, 3 Apr 1998 15:27:27 -0500
To: cryptography@c2.net, dcsb@ai.mit.edu
From: Robert Hettinga <rah@shipwright.com>
--- begin forwarded text
Mime-Version: 1.0
Date: Fri, 3 Apr 1998 11:53:54 -0700
Reply-To: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU>
Sender: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU>
From: Bob Jueneman <BJUENEMAN@NOVELL.COM>
Subject: Re: "ABA" beomes root CA for financial services industry
Comments: To: rah@SHIPWRIGHT.COM
To: DIGSIG@LISTSERV.TEMPLE.EDU
With due respect, I submit that Robert Hettinga has missed a very major point,
as have most of the other commentators who have decried the very notion of
any kind of hierarchical relationship between CA or firms in the financial
world.
The point is one of scale, and the dificulty of establishing the
credentials of others
on a trusted basis, once the number of entitites involved grows beyond a
few dozen.
I won't get into an argument as to whether or not there are too many
(different) banks
in the US (or too many lawyers, for that matter, or even PKI architects),
except to note that the consolidation of banks in Asia and in Europe are
making even the relative
giants like Bank of America and Chase Manhattan look small.
In any case, it seem obvious to me that even all of the banks do not know
each other or routinely do business with each other, much less have some
spider-web or geodesic dome of trust established between all of the players.
Presumably that is why the American Banking Association decided to set up
a CA, in order to issue basic identification certificates to their members.
Will this CA serve as some kind of clearing house, or otherwise intermediate
financial transactions? I very much doubt it. I suspect that their purpose is
very simple, and very limited -- to merely identify a bank as such, in their
role as a commonly trusted industry association.
We see exactly the same process taking place in the automotive industry,
with the creation of the ANX association/cartel/diahatsu; and the aerospace
industry, led by Boeing, is not going to be far behind them.
Why is this so? Why do we see an apparent violation of entropy and the
First Law of
Thermodynamics, with order apparently arising out of chaos?
Scale.
Webs of trust are simply unmanageable. There are far too many connections, and
it is far too easy to engage in a finger-point game if something goes
wrong. And it is
simply impossible to carry out all of the negotiations between the various
parties to
establish all of the bilateral trust relationships that would otherwise be
necessary.
But frankly, I don't really care what the bankers do in managing their own
affairs.
I am more concerend with the interaction between the consumer and various
businesses.
At Novell's recent BrainShare conference, we announced the forthcoming
availability
of our new Public Key Infrastructure Services (PKIS) component, which will
be included
free within the NetWare 5.0 release coming out this summer. The reaction from
customers was very gratifying to this engineer's ears, "Do you mean that
you are
going to making available for free a product that will allow us to mint our
own certificate, for free? That is tremendous news."
Like I said, very gratifying. But there is a hitch. Although the
certificates that are
issued will all be tied back to a Novell root certificate in order to
validate certain
value-added certifciate enhancements, we are not operating as a CA SERVICE,
and don't intend to. The PKIS product is part of our Red Box CD, but
we make use of the same kind of distribution techniques as others in the
software
industry do -- what I call the Cheerios box paradigm. We put the boxes on
the shelf,
and trucks pull up and take them to resellers, where trucks pull up and
take them to
customers. We have very little control or knowledge as to where a
particular box goes,
unless the customer returns the warranty card. But relying on a warrantty card
would hardly constitute due diligence, so all we can put in the certificate
at one
critical point in the chain is commonName="Novell customer # 123456".
Now, that's just fine for a customer who only wants to run an Intranet system.
The PKIS system will allow him to fill in any organizational name he likes,
with no checks at all about right to use issues, etc. If someone wants
to create a certificate that says organization=Microsoft, commonName=Bill
Gates,
they are free to do so. It's all in house, so no one cares.
But as soon as that organization wishes to interact with people outside of
their
own organization, that isn't so good at all. And its no good telling the
consumer that
she should first establish a trusted relationship with the organization,
and install their
certificfate, if that is the problem that she is trying to solve in the
first place.
If I am an attorney and I publish my web page address in the Yellow Pages,
I want someone to be able to click on that address and request my services
perhaps to assist them in drafting a contract, without first coming to my
office to sign a contact! And particularly if I am a criminal defense
attorney,
my client wants to know with a reasonable certainty that I am who I say I am,
and not the local police department trying to entrap me, even if my frim is
in a different city.
Public CAs, like for example VeriSign, solve that problem reasonably well by
issuing certificates to companies, servers, and individuals, after
performing a
reasonable amount of due diligence.
However, although I can hardly blame them for trying, they would clearly
like to
be in the retail certificate business, charging another $400 for every
additional
server that needs a certificate for example, even after the basic due diligence
has been performed. Nice work, if you can get it!
What larger customers clearly want is to be able to get a single
certificate which
identifies their organization, and then lets them run their own subordinate
CA under
that single primary credential.
Without this kind of "wholesale" CA, businesses either have to buy at
retail, which
is too expensive, or they have to independently distribute their own root
keys, which
is almost impossible.
The various browsers already distribute on the order of 50 root
certificates for various
CAs, and I challenge anyone to find a single user who could says that they had
reasonable amount of independent confidence in those CAs.
If we have to propagate say 100,000 certificates from all sorts of individual
businesses to all of the millions of browsers out there, the system will
clearly
collapse under its own weight. That's what I mean by scale.
So I claim that the creation of what I call these "wholesale" CAs,
regardless of
who sponsors them, a natural and highly desirable progression out of chaos and
into some kind of order.
I don't care particularly whether various federal or state organizations
perform
this service, as Utah might for example, or whether industry associations
do it, or
whether a new breed of privat enterprise CAs steps in to fill this gap. I'm
just glad that
someone is.
Bob
<complete text of my message snipped the interes of bandwidth... ;-)>
--- end forwarded text
-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/
