The corporate identity problem

October 15, 2008

One of the periodically proposed spam solutions is that someone will issue certificates to people and if they misbehave, the certificates will be revoked. One of the many problems with this idea is what I will call the corporate identity problem.

The problem with corporate identities is twofold, or perhaps threefold. First, corporate identities are much like Internet identities: they provide only positive identity, that person A is associated with corporation B, not negative identities, that corporation B is not associated with person A. In fact there are a lot of legal features about corporations that are designed more or less expressly to hide who a corporation is owned by and associated with.

(Note that using these things is not illegal or even underhanded. Things like 'silent partners' are perfectly routine.)

This might not matter if it was hard to get corporate identities, but it isn't. It's both easy and common to create new corporations, even ones that are more or less anonymous, to the extent that there are lots of support services to help you out with it. Thus, there is nothing to stop people having as many corporate identities as they need, and there is usually no way for an outsider not armed with a court order to know that behind all of the identities is the same set of bad people.

Finally, new corporations need things like domain names and certificates all the time. It's infeasible to say something like 'you cannot have an SSL certificate until you have been in business for two years', and attempting to do so would only serve the interests of the current incumbent companies (although I'm sure they'd be overjoyed at the sudden drop in new competition). Note that there are ways to (try to) do this indirectly, and they are going to be as problematic as just stating this limit outright; barriers to entry are barriers to entry, regardless of the exact form that they take.

To summarize, the corporate identity problem means that you can't throw people out of any system that allows corporations to be members, because they can just get new ones. It also means that you cannot attach any trust to the mere existence of a corporate entity, because you don't actually know anything important about it.

Written on 15 October 2008.
« Improving initial ramdisks
Why Firefox 3's handling of self-signed SSL certificates is wrong »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Oct 15 01:23:20 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.