Henry Story wrote:
> 
> TLS currently helps one know that when opens a connection to a service
> (domain:port pair) one is actually connected to the machine that
> officially owns that domain.

That sounds backwards from what it is.

A DNS domain owner can obtain TLS server certificates for hosts in
his domain.  So when a TLS server shows a cert with a DNS Name in it
that chains to one of the RootCAs known in the TLS X.509 PKI as known
by common web browsers, then one assumes that this cert was obtained
by someone who could demonstrate to the relevant CA to be an admin
for that DNS domain.

For domain validated (DV) certs, the ability to receive the DNS admins
EMail is all that is verified.  Nowadays, DV-certs seem not to contain
any other data in subject and subject alt name about the cert requestor
besides the DNS hostname for which the cert was requested.


>
> It does not give one the big picture of
> what kind of entity one is actually connected to:
> ie. it does not answer the following questions:
> 
>  - is this a legal entity?
>  - which country is it based in (or which legal framework is it responsible to)
>  - who are the owners
>  - what kind of organisation is it?
>    (individual, bank, commerce, school, university, charity...)


That information is completely irrelavant to TLS and to the existing
server endpoint identification schemes on top of TLS (rfc2818,rfc6125).

The CABForum has defined schemes to verify additional attributes about
certificate requestors, which can be places as verified/vetted attributes
in "organzation verified" (OV) and "extended validation" (EV) certs,
but these come at a signficant extra cost, and that extra information is
only meaningful to human beings.


> 
> In a recent talk I gave at the European Identity conference in Biel,
> Switzerland, I looked at how this extra information could be made
> available by using WebID and Linked Data, published by official entities
> in ways that gave those documents legal weight. This would not be
> technically very difficult to do, but would provide huge benefits
> to the web.

While OV- and EV-certs may provide additional benefits to users who
actually verify these attributes, the information is irrelevant for "the web".


>
> It could increase trust in the way people use the web,
> and it could enable commerce in a much broader way that hitherto
> found on the web.

"The Web" is glued together with URLs, which distinguish places
_only_ by DNS Names, nothing else.  An URL does not distinguish
ACME bank from ACME fireworks, and there is no rule which of them
was first to register a particular DNS domain name.

So IMHO, the only way you could "increase (percieved) trust in the web"
would be to significantly deceive users about the underlying technology.

 
-Martin