invoicing with PKI
Anne & Lynn Wheeler
lynn at garlic.com
Wed Sep 3 10:36:55 EDT 2003
At 11:41 PM 9/2/2003 -0700, James A. Donald wrote:
>True names is where security took the wrong branch. The entire
>PKI structure has been rejected.
x.509 identity certificates are business processes ... not a cryptography
process. as I've mentioned elsewhere many of the institutions that looked
at x.509 identity certificates in the early 90s had retrenched to
relying-party-only certificates with just some sort of account number and
public key. The problem of overloading a x.509 identity certificate with
lots of privacy information turned out to be an enormous identity and
liability problem. Part of the issue was creating a certificate at some
time in the past and attempting to guess at what might be needed by various
random relying-parties in the future ... led to overloading certificates
with ever increasing privacy detail loaded. One of the content models was
driver's license, name, address, date-of-birth. date-of-birth is an obvious
identity theft vulnerability. The idea of randomly spraying your privacy
detail all over the earth (attached to every electronic operation) turned
out to be significant issues. Even just having your name attached to every
electronic operation and sprayed all over the world represented a
significant issue.
recent post in sci.crypt:
http://www.garlic.com/~lynn/2003l.html#33 RSA vs AES
and slightly related post (also from sci.crypt):
http://www.garlic.com/~lynn/2003l.html#36 Proposal for a new PKI model
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list