[fc-discuss] Financial Cryptography Update: High Assurance - summary of the Due Diligence

iang@iang.org iang@iang.org
Wed, 22 Feb 2006 17:22:57 +0000 (GMT)

 Financial Cryptography Update: High Assurance - summary of the Due Diligence 

                           February 22, 2006




Someone (who has requested anonymity) has been doing the research on at
least some of the goings on in the "High Assurance" programme.	It
seems that GeoTrust/RSA/Identrus approached the ABA with the view to
endorsing the programme for purpose of notarising documents --
GeoTrust's current strategic desires in e-notarisation.  To this end,
they are proposing signoff by bank and a lawyer (thus we see the
Identrus and ABA involvement) as well as a site visit and a
supplementary WebTrust audit to bring the accountants on side.

The documents are located at
http://www.abanet.org/dch/committee.cfm?com=ST230002 (over on the lower
right, in the Listserv box, there is a javascript popup called Cert
Issuance Standards.)  The meat of the proposal seems to be enhanced Due
Diligence ("DD").  Here's a summary:

(a)  Notarization of the signature on the Application for the High
Assurance certificate:	This establishes a face-to-face contact with a
real person acting on behalf of the certificate applicant for the first
time in the industry.  A notary will also ask for and record a piece of
reliable ID (e.g., a driver's license or passport) from the person
signing the Application, which will be invaluable in tracking down a

(b)  Obtaining an attorney opinion letter confirming important
Application information:  An attorney opinion letter from the
Applicant's counsel will verify critical pieces of identity information
that a public CA presently only assumes by inference, such as current
corporate existence and actual authority of the person requesting the
Certificate.  The attorney opinion letter will also be the chief way by
which public CAs can verify the legal right of an Applicant to use a
trademark or logo, thereby helping to avoid commercial disputes.
Verified trademarks and logos will likely be included inside TLS/SSL
digital certificates in the near future for use in new applications,
creating important new branding opportunities for businesses.

(c)  Confirming that the Applicant is actively engaged in business
(i.e., is a "real" business) by confirming that the Applicant maintains
a bank account:  Consumer surveys show the public does not want to do
business or share information online with imaginary business entities
shell corporations that have no real-world business existence.	The
Assurance vetting process confirms that the Applicant maintains a
banking relationship with a financial institution, which not only
provides solid evidence of ongoing business activity but also provides
an important additional confirmed point of contact in the event of a
consumer complaint.  Because financial institutions must follow
stringent "know your customer" rules under federal regulations, they
likely to have extremely accurate information about the Applicant.

(d)  Finally, verifying that a representative of the Applicant can be
located at a confirmed physical location:  Consumers have also
they want to be able to link a web site to a physical location where
site owner can actually be found, but no such testing is done by any CA
for current SSL certificates.  Public CAs today could even issue an
organizational certificate to an Applicant listing a particular
only to find out later (after online fraud) that the address is a
lot or an anonymous mailbox service and the web site owner has
The High Assurance certificate is backed by a real-world site visit to
the Applicant's address with recorded information to verify that a
representative of the Applicant can be found there, which establishes
the final vital point of contact.  

The good thing about DD processes is that if yours isn't working,
there's always more you can throw into it.  The bad thing is that this
won't necessarily improve it.

There are several problems with the above, but probably the biggest
issue is again how the big boys are doing the deals in the back rooms
on their wish lists, and then expecting the net to swallow this as some
sort of open consensus / rough working code.  Those who are not
represented in this process are the smaller CAs, the notaries, and all
of the users;  as suspected, my source informs me that there was no
open call for wider industry participation, so some of the most obvious
problems will go unaddressed until it is too late.

See also the competing proposal by the National Notary Association (in


Powered by Movable Type
Version 2.64