33. Q. Why is signing is so slow?
A. Computing a digital signature involves the exponentiation of very large numbers. That is a very CPU intensive calculation that takes some time even with a fast processor. A private key operation such as signing requires performing several million operations per signature for a standard 1024-bit key. A somewhat less than bleeding edge machine such as an 800 MHz Pentium III is capable of generating 25-100 signatures per second.
35. Q. . If digital signatures and certs are so complex why force them on users?
A. Digital signatures are an enabling technology. The authentication protocol provided by digital signatures keeps the E-QSL process “open” to participation by third parties. The most complex issue that a user has to deal with is the initial verification of identity. Were a central server model to be used, the initial process of identity verification would remain the same.
37. Q. If just a password is good enough to secure Internet banking, trading stocks, online shopping, paying taxes, etc., then why isn’t a password sufficient for tQSLs?
A. Well, there’s a whole lot more at work behind the scenes in securing the typical e-commerce transaction than “just a password.” In fact, an integral part of the behind the scenes action involves the same identity certificates and digital signatures used in TrustedQSL. There’s absolutely no reason why tQSL implementations cannot be as equally transparent, appearing to the user to be no more complicated than “just a password.”
39. Q. Why do I need anything more than a user-id and password to log into a server and exchange tQSLs?
A. While you can login into a server and exchange tQSLs, you don’t have to. A user-id and secret password are a way of authenticating a connection such as a login session. However, an authenticated, trustworthy connection is not necessary for sending and receiving tQSLs. It’s the tQSLs themselves that are trustworthy, not the connection. That’s why an inherently “untrustworthy” transport mechanism such as e-mail can be used to exchange tQSLs or to “upload” tQSLs to an award sponsor. If the server you frequent requires the use of a user-id and password, it’s not because of tQSLs.
41. Q. I heard that the verification of my identity by a CA is going to involve paper. Heaven forbid! Why such a slow and onerous process?
A. The trustworthiness of a tQSL ultimately traces back to the identity verification performed by the CA. The effort expended in making sure that identification is made correctly is time well spent. To complete the initial verification process a tQSL CA must exchange some information with the user via a “trustworthy” channel. A commonly used trusted channel is the postal mail.
43. Q. Can’t the initial enrollment with a CA be performed entirely online?
A. It can’t, not entirely. The enrollment process can be initiated online. However, a totally online enrollment process would be readily spoofed and not trustworthy.
45. Q. I’ve enrolled in the Internet service of the XYZ Company entirely online, no postcard required. Why can’t a TrustedQSL CA employ an all-electronic enrollment like a real business does?
A. In the enrollment process for that service you likely provided some “personal secret” that verifies your identity. Such “secrets” might be a credit card number, an account number, SSN, PIN, etc. None of those are suitable for use by a TrustedQSL CA.
47. Q. Why must TrustedQSL be more secure then say, online shopping?
A. QSL’ing doesn’t need to be more secure than online shopping. Moreover, TrustedQSL isn’t. As just one example, e-commerce transactions such as online purchases are routinely conducted over an encrypted link in order to prevent eavesdropping. tQSLs contain no sensitive or secret information. So there’s no need to be employing security measures such as encryption in tQSLs.
49. Q. Why do I need an identity certificate for QSLs when I don’t need one to transact business online, to shop at Amazon.com for example?
A. Correct, you don’t need an identity certificate in order to shop at Amazon. However, it is true that every time you shop at Amazon your computer receives an identity certificate and authenticates a digital signature. Whenever you log onto a secure e-commerce site such as Amazon, the secure server sends a copy of its identify certificate and a digital signature to your computer. Together, the cert and signature prove that you’re really connected to a computer that, in this example, is a bona fide reresentative of Jeff Bezos’ company. In part this proof is meant to reassure you that an impostor out to steal your credit card number or drain your bank account has not spoofed the connection. TrustedQSL employs the same public key digital signature technology that you’ve used when making online purchases, most likely without ever being aware that you were using it. The crucial difference is that in e-commerce the digital signature is used to authenticate a live connection. In TrustedQSL’ing the digital signature is used to create an archival electronic document, a tQSL, which can be authenticated at any future date.