Cross-certification and cross-recognition continue to be stumbling blocks in PKI. Cross-certification has been a lofty goal for many years but has proven to be expensive and impractical. And when we look at it closely, we find that it wouldn’t give users much benefit in any event. Cross-certification establishes the equivalence of certificates from different PKIs, yet two users on either end of a transaction are usually asserting different types of credentials which will never be equivalent. The fundamental issue for users is not equivalence; it is fitness for purpose.
We’re accustomed to the role of independent audit reports helping us to decide if a CA can be relied upon, but the decision is traditionally made out-of-band. This paper will present a new way of making a CA’s audit report machine-readable, as a standard X.509 certificate. The approach is based on existing international audit standards and mature accreditation systems. It thereby demystifies PKI, clarifies liability, cuts compliance costs, and preserves sovereignty in communities of interest and national schemes.ISSE 2001 Wilson slides ISSE 2001 Wilson paper