Comment by pdonis
1 year ago
How is anyone else going to know that the public key I hand them belongs to a person that satisfies whatever requirement they are checking? For example, if someone wants to verify my age, how do they know the public key I hand them belongs to a person that meets the age requirement?
Some third party is going to have to verify that that's true. Which means some third party is going to have to have access to my private data, to verify that my public key belongs to a person whose private data meets whatever requirements are being asked about. That third party will end up being a big tech company.
Your example about CAs is not relevant because CAs only need to verify that someone has control of a particular web endpoint. They don't need to verify the private information of whoever that person is. So the information they need is much less intrusive than the information a third party who is going to attest that public keys belong to people meeting things like age requirements would need to have. Yes, once a third party has attested to your age certificate, they aren't involved with how you use it--but that third party has to have a lot more private information about you to be able to make that attestation, than CAs currently have about website operators.
Do note that the reference here to CA is a conceptual reference, in other words it refers to a trusted entity who can verify certain bits of information (like your age or identity) then issue certificates for it, "trust anchor" is the lingo Certisfy uses for CAs.
Hostnames are what TLS certificate CAs such as DigiCert verify ownership of then issue certificates for; the same concept can be applied to any kind of information, including private information.
For instance a state DMV could choose to be a Certisfy "trust anchor"/CA and issue you a cryptographic certificate for your driver's license to be used for IRL identity anchoring.
So no, a "trust anchor"/CA need not be a big tech company, in fact if such a concept is deployed at scale a large class of entities can/should play the role of "CA", including people doing it as part of a business service.