Talking about it or explaining it is like pulling teeth; generally just a thorough misunderstanding of the notion....even though cryptographic certificates make the modern internet possible.
Any number of entities can be certificate issuers, as long as they can be deemed sufficiently trustworthy. Schools, places of worship, police, notary, employers...they can all play the role of trust anchor.
The app allows for self-revocation using the private key or a revocation code given when cert is issued, this is useful if a certificate is compromised...there is also an admin interface a trust anchor can use to revoke certificates they issue, a rogue trust anchor chain can also be revoked.
Each trust anchor gets issued a single certificate that can have delegation ability, ie the ability to issue new trust anchor certs to others.
So if say a UPS store is issued a cert and they go rogue, we can just revoke the trust anchor cert that was issued to the store, all certs issued further down are also automatically revoked...the revocation check is done either in the app or in the case of a third-party performing the verification they will recognize that there is a cert on the issuing chain that is revoked and reject the cert.
This is how TLS certs are handled too, if a CA goes rogue, all certs issued by that CA are revoked once the CA's root cert is revoked.
As for refund issues, that's a problem for the cert issuer to deal with.
> As for refund issues, that's a problem for the cert issuer to deal with.
no, it's your problem, as it's your brand slapped over everything, and now you've got tens of thousands of innocent people angry that you've revoked the IDs they paid for in good faith
When you say that “we” can revoke, I assume you are talking about your company - the app. What sort of resources would be required to constantly audit the potentially thousands or hundreds of thousands of certificate issuers on your platform?
All certificates are cryptographically linked to an identity-anchor certificate, meaning buying a certificate would require the seller reveal the private key tied to the identity-anchor certificate, a tall order I would argue.
In the case of stolen identity certificates, they can be revoked thus making their illegitimate utility limited.
We can still have laws, e.g. that using someone else's certificate (or knowingly giving them your certificate) would constitute fraud.
We have laws against kids buying alcohol, even though kids can (and do) try to get adults to buy them booze, but I don't think that's a good reason to say we shouldn't have laws against kids drinking.
https://news.ycombinator.com/item?id=40298552#40298804
Talking about it or explaining it is like pulling teeth; generally just a thorough misunderstanding of the notion....even though cryptographic certificates make the modern internet possible.