Open versus closed PKI systems

[Ian BROWN]

>one registration can be used for multiple low
>value e-commerce or e-citizen purposes with a level of automation

I'm not sure why low-value e-commerce transactions would need positive 
customer ID? Any newsagent that started demanding passports from customers 
would quickly go out of business...

I'm also unsure why a civil service bureaucracy that spends a serious 
amount of money on issuing credentials (driving licenses, benefit cards, etc. 
etc. etc.) could not use existing relationships with citizens to simply 
provide electronic versions of the same, rather than requiring those citizens 
to shell out 25 pounds plus?

> another doctor in an emergency situation might not, and might be
> prepared to rely on the Class 4 certificate in my smart card (dare I say
> "identity card"? :-) to give me some private medicine?

A private doctor wants a credential saying "This individual is covered by BUPA 
health insurance", not "this patient's name is Ian Brown." Public or private 
doctors just maybe (most of the doctors on this list think not!) would like 
some medical record information on that smartcard.

>I believe home address (or essentially some means of finding the
>individual), so RPs can take you to court, might be useful by itself

There's already a widely-used offline way of doing this: post an 
authenticating secret to the address. Any transaction of the level where an RP 
would be interested in taking someone to court will almost certainly require 
the previous building of a relationship over some period of time.

>But remember, one of the main values of the certificate is to provide some
>likelihood that disputes won't happen. Chasing up failures needn't be part
>of the business model.

It does: each transaction cost needs to include (cost of failure*probability of 
failure + cost of chasing up failures/total 
transactions) and if customers don't think the chasing up will happen, the 
probability of failure will rapidly increase to uneconomic levels!

Ian :)