[derefr]

StartCom almost has the right idea with the way they do EV certs: they charge you for identity verification (the thing that actually requires human labor to do), and then the EV certs themselves (as many as you like, for as long as you like) are free.

I think the optimal thing would be moving the job of identity verification into OpenID identity providers. So you could create a plain OpenID identity, or pay for a verified OpenID identity. Then, CAs would just be infrastructure to issue free certs to whichever verified identity obviously owns them.

In fact, if identity verification came before domain registration et al., the certificate-issuance part could even be done proactively: you'd buy a domain, put your verified OpenID in the SOA record, and then some CA-bot would notice, prompt your identity provider to generate a CSR using the private key the identity provider has on file, and then send back a signed cert.

[drdaeman]

> moving the job of identity verification into OpenID identity providers

Please, don't. This idea is horrible.

With OpenID (and xAuth and Persona and whatever) your identity is provided, not asserted. This is very important distinction. I believe, any sane person wants to be a source of their identity (that's asserted by others), not to lease their very identity from a third party.

If you want an identity - generate a keypair. Publish your public key and let others sign it to assert this keypair is genuinely yours. It's that easy. (Although, sadly, X.509 doesn't support multiple signatures, so one can't do a proper web-of-trust with them.)

If you want automated domain ownership verification and completely automated certificate signing (and whois-pointed email ownership check is not to your taste) - well, how about putting a CSR right in TXT record of the domain? CA-bot would see those and sign them. No need for identity providers except for a domain registrar.

[derefr]

> If you want an identity - generate a keypair. Publish your public key and let others sign it to assert this keypair is genuinely yours.

You're hiding an unbounded amount of work under the word "publish" there. The important part of an identity is the part where people trust that someone using the identity is you. Just posting "hey, this is the public key for John Smith" on a website does nothing to prove that fact. (Key-signing parties prove that fact, but people don't do those.)

What does prove that fact is the background-check a CA does. But they only do it to create a private notion of your identity for themselves, which means that every CA has to do its own redundant background check, which is why certs cost money.

All I'm suggesting, here, is that the "background checking to create an ID number that maps to a specific person" part could be split off into its own business model, and the resulting ID number (in the form of an OpenID, or whatever else) reused by any-and-all organizations that wish to map tokens to real people.

Also:

> I believe, any sane person wants to be a source of their identity (that's asserted by others), not to lease their very identity from a third party.

You're never the source of your identity. For example, your name is only your name because the government you were born under has a law creating an identity, by mapping birth certificates to people, and your name is one aspect of that identity. Change citizenship from the US to China? Suddenly what you were considering "your name" is no more, and your new name is spelled in ideographs. You can certainly get people to call you by your old, alphabetic name--but that is a person-to-token mapping. In any token-to-person mapping--a phonebook, for example--you'll be found by your new government-created identity.

[drdaeman]

> You're never the source of your identity.

I guess you're (or I'm, that's well possible too) mistaking identity with something other.

In my understanding, identities are what we - or part of us, as one could have multiple identities - are, not how we're called or what we look like. And names, personal or domain ones, are not identities but their properties. Others could assert your identity by confirming those properties (like when state issues a birth certificate with one's name in) or even associate their own information with person's identity (like assigning a trust level to a signature or limiting signature's timespan or, say, adding contract ID to a signature).

This is why OpenID and other attempts to shift identities from being owned (like one owns a certificate or password) to being merely leased doesn't look fancy to me.

[maxerickson]

I'm in your camp, identity is an intrinsic property of a person. Documents provide variously worthwhile assertions about that identity (legally recognized name of depicted individual is...).

One key point in this is that an authentic document can be fraudulent (just takes a bit of corruption down at the office).