Eve Maler has a new blog entry, How to Rest Assured that is about identity assurance: how can the receiver be sure who the sender is?
My first thought is "plus ça change" Or to be more accurate, it was "what's that French phrase about the more things change?"
CertCo tried to create this business about 10 years ago. The Wikipedia link is a reasonable history. The key innovation that CertCo's founders had was that banks could mitigate the risk of B2B e-commerce, if they imposed uniform business processes on their customers, and acted as the CA's for them. We had many of the largest banks signed up to participate, all sorts of innovative/patented IP to make it possible, and created the appropriate governance organization (the apparently now-defunct Identrus); they also had Federal Reserve involvement to help assess the appropriate amount of leverage and assets that would be needed to underwrite the risks.
We had some vary useful terminology back then, including the four-corner model, the relying party and counterparty, and of course the ever-present risk management. The seminal public talk on this is by Dan Geer (one of the smartest people I've ever met) titled Risk Management is where the Money Is which was published in the RISKS digest in 1998. A followup article in 2003 in IEEE Computer is titled Risk Management Is Still Where the Money Is.
There doesn't seem to be a free version around, but I'll quote the abstract in its entirety: "Security is not a product but a process. The question is only what tradeoffs to make. The answer is interdisciplinary."
CertCo was one of the two truly visionary companies I worked at (the other being DataPower). I'm still sad that we didn't make it.
Security, Middleware, Appliances
From archive: January 2010 X