Certification Authority
We use the term all the time, but what does it mean?
Welcome to the club.
Without a rock solid system of open, participatory governance, centralized authority over things like certification is just an invitation to abuse. We can’t allow the Internet to be hijacked by a small core of megalomaniacs, or by some national government or governments.
But peer governance also has problems. Systems that depend upon the trustworthiness of members of groups as opposed to a reliance on due process can fairly easily be subverted. You’re probably familiar with what happened to Anonymous last year when the group’s de facto leader, Hector Xavier Monsegur, aka Sabu, turned his fellow Anonymous hackers in to the FBI. After a lapse in caution had revealed his identity, Sabu found himself under pressure and, in their time-honored way, the FBI apparently offered to reduce the pressure in exchange for a few names of his colleagues. That sort of thing will happen, and the larger the group the higher the probability that one of its members will fail to uphold the standards of the group.
Small trust networks based upon personalities rather than authoritative procedure can work when there’s not too much at stake. But as soon as real power or money enter the picture there needs to be a well-designed, personality-free system based upon immutable due process. And it needs to include individual accountability. We all know that the present system of dozens of competing commercial certification “authorities” is just not sustainable, even if there’s never another DigiNotar-size fiasco. In the immortal words of Matt Blaze, “A commercial certification authority protects you from anyone whose money they refuse to take.”
Nor can the solution be found in certification authorities run by national governments. Especially after the Snowden revelations, who wants government agencies issuing and managing our identity certificates?
The expression “governance, not government” points us to the solution, as this video explains: