From: Bill Stewart <stewarts@ix.netcom.com>
Date: Wed, 31 Jan 1996 16:49:03 +0800
To: cypherpunks@toad.com
Subject: Re: [Fwd: Netscape, CAs, and Verisign]
Message-ID: <199601310810.AAA00299@ix10.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 02:55 PM 1/29/96 -0500, Peter Williams wrote, in response to Alex:
>>I'd like to see a less centralized CA that's tied into the existing system
>>of notaries.  The idea is to make it necessary to spoof a notary in order
>>to spoof the CA.  That won't make spoofing the CA impossible (nothing
>>will), but it will make spoofing the CA illegal. 
...
>I dont understand how you intend to make CA spoofing illegal. Who
>who perform the enforcement? (By illegal, I assume you mean that
>there is a criminal offence involved, rather than a tort.)

Is providing false documents to a notary criminal fraud, or only civil?

>>Fees for the whole procedure ought to be less than $30.  The CA ought to
>>operate off of the fees from the agents as a non-profit organization, and
>>the agents ought to keep the fees paid by the people requesting the
>>certificates.

>Notary fees might be best controlled by the notary, not the CA. 
>Seems an unreasonable restriction of trade to price-fix, even at the low-end.

Notary fees can be agreed contractually between the notary and the CA;
if they want to do a list price / street price system, or a non-profit,
or a dog-eat-capitalist-running-dog competitive system, the market can
let you pick your favorites.

>There is indeed a large body of legal ramifications in this
>area. The best way to learn about it is to become a CA and do it. Risk
>taking is part of being in the CA business, however you operate it,
>even for free.

>>Morevover, although I don't think it's reasonable to expect Netscape to
>>agree to include a non-existent CA in their browsers sight unseen, at the
>>same time it doesn't seem smart to sink money into setting up the CA
>>without some indication from Netscape that they're willing to give the
>>idea good faith consideration. 
>Navigator betas seem to already facilitate users configuring their own
>trust points in a manner rather similar to adding a key to your
>personal PGP keyring.

Letting the user decide whom to trust certainly seems like the best
approach, and makes it possible to build a Web of Trust on top of Netscape
rather than being stuck with hierarchical certifications.
Meanwhile, if Netscape wants to sell the top two slots in their
CA list to the highest-bidding advertiser like they do with searchers,
they still can.

#--
#				Thanks;  Bill
# Bill Stewart, stewarts@ix.netcom.com, Pager/Voicemail 1-408-787-1281
# http://www.idiom.com/~wcs