VeriSign's SSL CA vs. the FPKI trust network

["Anders Rundgren" <anders.rundgren@telia.com>]

Dear List,

One (of the numerous) ways to describe the differences between the current FPKI enterprise trust model and the model I am suggesting as the next logical step for FPKI (the gateway), is to look on some core data.  Although the figures are only estimates they should not be too far from the truth.

 

Organizations covered by FPKI:  <1000

Organizations (servers actually) covered by VeriSign's SSL CA: >1000 000

Difference: >3 magnitudes

 

Relying parties for FPKI: < 10 000 000

Relying parties for VeriSign's SSL CA: > 1000 000 000

Difference: 2-3 magnitudes

 

Costs for running FPKI: Undisclosed sums of tax payer money

Costs for running VeriSign's SSL CA: Profitable outfit

Difference: huge

 

Cost and time for an organization for entering the FPKI trust network: Huge respectively long

Cost and time for an organization for entering VeriSign's SSL CA trust network: $350/y respectively roughly one week

Difference: huge

 

That is, by building secure messaging between organization based on gateway PKI rather than on "employee" PKI, you can deploy secure systems with a much higher speed and at a fraction of the cost of the latter.  Note that the gateway is not reducing the need for client security solutions.  However, client security solutions do not have to be uniform between organizations and actually not even within organizations.  To use OTP (One Time Password) solutions is often a good alternative to PKI to take one example.  The gateway is the de-facto standard approach for maintaining secure messaging in the financial sector and as far as I know they have no intention to change that as it actually works extremely well.  Using PKI it just gets cheaper and better.

 

The Proposal

Instead of taking working software and systems down, I suggest that the FPKI Steering Committee does the following:

• Define a suitable policy and format for an organization-only-certificate.  Note: SSL certificates are not really organization certificates, they rather certify host names including domain owners.
• Outsource the production of such certificates to a suitable commercial vendor
• Create guidelines for application developers
• Market the scheme

By doing that, FPKI would actually be defining a global trust network as the European counterparts are only driven by local (state-driven) CAs.

 

regards

Anders Rundgren
Located in the EU, working for a US company, but here expressing my personal opinion