Re: WebID and HTTPS Client Certificate Authentication

On 7 Aug 2011, at 20:47, Dave Raggett wrote:

> I agree with the issue of trust. CA's don't really reflect the trust models we have for people and organizations.
> 
> For businesses, I would like to see credentials provided by national or regional bodies such as Companies House in the UK, as well as organizations charged with responsibilities for oversight of particular industry segments.

Certain kinds of businesses don't have to be registered with CH… sole traders, for example.

UK businesses already have problems in that trading names can't appear on EV certificates, which triggers the double-edged sword of devaluing both trust in the business *and* in the EV scheme (not that the latter needs much help, particularly).

I'm not sure that further barriers are entirely the right answer in this space.

*However*, for regulated organisations (of which there are many, and are particularly ripe for phishing), I'm not sure why the national regulators don't operate the CAs which issue their certs. Why doesn't the Financial Services Authority issue digital certificates for brokers in the UK, for example? They issue -paper- certificates, so why not digital certs? etc.

> For individuals, you would have government issued credentials, as well as scoped credentials such as for current membership as a student at a given university.

it'd be worth re-stating that to be a tad more specific. "government-issued credentials" can mean any of a range of things in different shapes and forms, and a great many of them are not just useless, but actively damaging.

M.

-- 
Mo McRoberts - Data Analyst - Digital Public Space,
Zone 1.08, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA,
Room 7066, BBC Television Centre, London W12 7RJ,
0141 422 6036 (Internal: 01-26036) - PGP key 0x663E2B4A

Received on Sunday, 7 August 2011 22:05:42 UTC