Eddy Nigg wrote:
On 11/11/2008 03:54 PM, Ian G:
And, in particular, the PKI industry's obsession with some concept that
you refer to as "legal identity" is ruining its own market.
I personally don't perceive it as such nor do I think that there is such
an obsession. I *do* believe that more verified identities may be good
for the Internet in general - which would allow to view unverified ones
with a grain of suspicion.
eBay users seems to survive without them?
Or lets make some comparison to
transportation, where one in order to drive a car must undergo some
training and carry a license. I could imagine something similar applied
to the Internet, where one carries a license in order to drive on the
network. Anybody without a license can't drive along.
Sure. This is nothing to do with *identity* tho, all it has to do with
is ones tested ability to drive safely. Try this thought experiment:
would a driver's licence without a name on it, but with a photo on it,
work as well?
However - and this might be interesting for the other camp - one doesn't
stick the drivers license in bold letters onto the rear window for
everybody to see, instead you've got license plates for the car. In some
way, the driver remains anonymous to some extend. Applying this to the
Internet, I'd know that you've got a license and I'd even know the
number. I still don't know your personal details - which I could request
from you if I wanted to. It would be known by an authority should need
arise (in case of unlawful actions like malware distribution).
Right, certs without names or with nicknames achieve that. It might not
be possible to see the name, but seeing the issuer is sufficient to say
something. If a trail is all that is required, this can simplify things
a lot.
Now of course this is some form of reducing the freedom of the
individual, but on the other hand would bring some piece of mind (with
malware and fraud removed, children clearly protected and so forth).
Similar to the transportation system where not every individual can do
as he likes.
Well, except there isn't much in the way of use cases. On the roads,
bad drivers keep bumping into each other. When enough innocents have
been slaughtered, we demand licensing and testing.
On the net, bad users keep destroying their own email. I don't think we
need to licence people to destroy their own email... yet... because they
seem to have a limitless fountain of it.
Sure, that's a claim that is frequently made, albeit *only in PKI
circles*.
Really?
OK, you're right, it is also frequently made in press articles :)
That's what that whole CN is about. Some name that is fairly
clear, and an implied CA claim that there really is only one Paypal in
its list of certs, so you can rely that this is "the one".
There is one in San Jose, CA, USA. The claim is that of Paypal that they
hold the trademark, there is a difference.
Sure. Trademarks are actually divided by sector, so one can be Apple
and another can be Apple. They have courts for these things; as long
as the two companies do not compete in some area (like Apple :) ) then
there is no issue.
So the thing above would be to make sure that each site for Apple
identified which one it really was. Asking the CA to get into branding
is a little fraught. (Although I frequently suggest it in another context).
What is a CA going to do about this? So far, a CN still covers it:
"Apple Records" as opposed to "Apple Computers".
Then there is the one between the end user and the website business.
This might or might not be the one that is central in the dispute. Then
there are other agreements that pop in and out in the normal course of
business.
Of course. There shall be no difference from when I walk into their shop
or buy from the web site.
Ah, but there is, that is the point.
Confirmations of CAs provide the verified
information (like a Notary as I said earlier). CAs don't interfere in
the handling of their respective businesses nor legal system. I think
this is very clear.
The point is: do CAs require this so-called "legal identity"? If so, why?
Let's call it for sake of discussion a privacy issue. If so, then it
should not be required unless needed. In privacy, we have to establish
a compelling need for the info; or we have to stop keeping it.
If the answer is, so relying party can take the subscriber to court,
then we have a problem: it won't work that easily, indeed it is
bordering on useless, because the more borders we cross, the more the
transaction costs go up.
I have the feeling you are trying to create a problem where there isn't
one and make something up which never was claimed. And there is no sand
castle either...
Nope, just eliminating an assumption or two: identity required for
court. Once these are eliminated, life becomes much easier.
Yes, you are almost there. The purpose is to resolve a dispute.
Duuuh?
And, for a dispute, you do not need the verified identity. You need to
find some way to get the person into court. There is a terrific gulf
between these two things. Verified Identity will not get the person
into court, and likely it won't help much. What will help is proximity.
Granted, verified identity may provide a placebo effect to some users,
but this comes at a cost, so such a placebo should be optional.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
