sslnext.com 
ds operation
A Directory Service (DS) has two basic required functions:
- Performing Verified Setups (VSU) for all servers and optionally for browsers
- Brokering the handshake to establish trust between parties during Internet communications
Verified Setups (VSU)
When a Web server first loads the SSLX module, the operator will be instructed to perform a VSU with one of the public Directory Services (DS). This is mandatory, and requires the Web site operator to provide specific independently verifiable information through a separate communications channel (email). The DS and Web server will perform a secure SSLX exchange of an authentication token called a DSK (for DS Key). For every communication after this initial one, the server and the DS will use the DSK to communicate securely.
At the option of a user, browsers may perform VSUs with any public DS as well; there is no personal information required of an end-user. The IP address and the holder of the assigned DSK are authenticated during SSLX handshakes using that DS.
There are three security levels of a VSU that can be performed: High, Medium and Low. The High is the most secure with the DSK being split and sent securely in two different communications channels, via the browser and email. Medium sends the entire DSK outside of the browser, via email, and Low uses public key encryption over the Internet (as is done with traditional SSL). Servers may not perform Low VSUs.
The VSU function is important in that the DS gathers public information from Web servers. It is the beginning of the Circle Of Trust between browsers and servers that is a significant improvement over the current techniques.
Brokering Trust
Once a Web site has verified all of their SSLX Web servers with a public DS, then secure and authenticated connections can be brokered to anyone who wants to communicate with the Web site.
When a browser makes a request of a SSLX page from a Web site, the SSLX handshake that will occur includes the use of a DS. If no browser VSU has been performed, then the DS that has performed the VSU for that server will be used. If both the browser and server have performed VSUs with different DSs, then the chosen DS will be the one that has the ‘most-trusted’ relationship (highest VSU security level).
The SSLX handshake DS is visible with links in the UI of the browser. The end-user can simply click to view VSU information in real-time and be sure that the server is who it says it is. This information can be checked at any time before or after an SSLX connection starts as well. The Circle of Trust then extends from the DS to the other participant.
In real-time, the trust has been brokered by the DS. The DS can be checked at the SSLX Public Administrator site as well, bringing closure, security and trust to the entire Web architecture of SSLX.