[TrustBar] [Fwd: Re: Low assurance SSL CAs]
Ian G
iang at iang.org
Tue Feb 15 12:32:21 EST 2005
Duane wrote:
> My thinking is that this isn't good enough, and there is no standard
> way to represent different grades of how much trust should be put into
> certificate providers. Even though some providers have "Class 1/2/3"
> on their root certificate this isn't standardised in any way, even web
> trust doesn't sanitise the information on root certificates, it judges
> what's listed in CPS documents and verify they match the CA practise.
> Below is my suggestions on how it might be better handled.
Assume N levels of "trust". Instead of directly
looking at that, can you suggest anwhere where
such a scheme exists?
Is there an analogue? More points if the scheme
is run outside the 'public sector' a.k.a. government
and outside any other centralised agency.
iang
>
> No verification = IDVL 0
> email only verification = IDVL 1
> faxed in verification (photo copied ID etc) = IDVL 2
> web of trust like CAcert runs with in person meetings and formalised
> documentation and policies = IDVL 3
> public notary and original documents sent in or meet in person at the
> CA office = IDVL 4
> police ID check = IDVL 5
> government/military background checking via police and other sources =
> IDVL 6
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
More information about the TrustBar
mailing list