CFP: PKI research workshop

lynn.wheeler at lynn.wheeler at
Thu Dec 27 18:08:43 EST 2001

I would tend to make the statement even stronger.

large, complex legacy systems tend to have slow technology uptake. most of
the certification authorities can be deployed in simple demos w/o impacting
the legacy systems and business process (possibly as a front-end process
that is pealed off before turning things over to the legacy business

if you have legacy business process designed to support millions or
hundreds of millions of customers ... then any change to that system tends
to be significantly more expensive than a stand-alone certification
authority demo for a couple hundred.  The problem has been the cross over
from toy-demo to real production. In general, the legacy infrastructures
and business processes have been put into place for perfectly valid reasons
.... even if somewhat slow to change.

I'm acquanted with one example where a single screen update (as part of a
new function rollout) to a customer call-center supporting tens of million
customer environment cost more than a dozen or so certification authority
demo systems.  The issue was that call center was highly optimized and had
significant investment to scale into handling tens of millions of customers
very, very efficiently. To optimize a single screen & get it integrated
into a real live production environment required some amount of investment.
Such things as customer call-centers (not to mention scallable customer
call centers, scallable administrative and management infrastructure, etc)
for a customer service oriented operation .... could be totally ignored
when testing purely demo operations.

However, even with the cost of modifying a legacy operation .... where
authentication is integrated into the standard every day business processes
.... is significantly cheaper than trying to treat authentication as an
independent service (and build a separate scallable infrastructure that
real customer service orientation involves).

As an aside point ... I've found very few business operations that go
around trying to perform authentication operations purely for the sake and
enjoyment of performing authentication operations. For the most part,
businesses will perform authentication operations (typically viewed as
overhead or cost issue) as part of some real, productive business service
(a revenue issue). I find it difficult to come up with a whole lot of
scenarios where cost overhead (authentication) operations are performed for
no business (revenue) purpose. As mentioned in prior posting

given that authentication is being performed as part of some business
process or function ...  then it is normally trivial to show it is easier
to have authentication (even digital signature authentication) integrated
into such business processes .... and correspondingly easy to show that
certificate-based operations are redundant, superfulous and extraneous
(modulo the issue of toy demos are cheaper than modifying production
business operations).

pgut001 at on 12/28/2001 3:41 am wrote:

Naah, it's the monorail/videophone/SST of security.  Looks great at the
Fair, but a bit difficult to turn into a reality outside the fairgrounds.

Peter (who would like to say that observation was original, but it was
       stolen from Scott Guthery).

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list