Problems in Mandating Strong Personal EOI in PKI

Introduction

There is a view in some policy circles that all certificate holders should be subject to strong identity checks. This position derives from the concern that forensic investigation of fraud will be more difficult in e-commerce than it is in conventional business. Historically it may have been fuelled by the association of cryptography development and controls with defence agencies and national interest concerns. Furthermore, some of the earlier PKI applications were associated with government services like taxation and national health, which attract criminal sanctions in the event of fraud. This naturally leads to strenuous checks on personal identity.

Perhaps inadvertently, a strong onus on personal evidence of identity has carried over into PKI in general. Yet there are major problems and new risks introduced by what might appear to merely be prudence. This paper argues that there should be no minimum EOI mandated across-the-board in open PKI schemes, such as Gatekeeper. Instead, Certification Authorities in concert with their respective communities of interest should be allowed to set registration rules fit for the purpose of their certificates. It is not disputed that certain applications – such as social security, banking, and areas of national interest like defence, customs and immigration – have legitimate requirements for strong EOI, especially if criminal liabilities are attached. But these applications should be treated as communities of interest like any other, and left to decide what EOI standards are appropriate. They should not act to raise unnecessary burden of proof across all types of certificates.