The summer of PKI love
Mark Allen Earnest
mxe20 at psu.edu
Fri Aug 12 14:44:32 EDT 2005
James A. Donald wrote:
> --
> From: Stephan Neuhaus
> <neuhaus at st.cs.uni-sb.de>
>
>>So, the optimism of the article's author aside, where
>>*do* we stand on PKI deployment?
>
>
> PKI's deployment to identify ssl servers is near one
> hundred percent. PKI's deployment to sign and secure
> email, and to identify users, is near zero and seems
> unlikely to change. PGP has substantially superior
> penetration.
I would rank it closer to 0% myself. Don't get me wrong, we have plenty
of PK deployment with SSL servers, just no I. Anyone doing revocation
checking? How do you even do it? CRL? Delta CRL? OSCP? Do any browsers
really support these things? For those that do does any user actually
know how to do it? PKI is a massive undertaking that many seem to
confuse with just public key cryptography. Public key crypto is just one
component of PKI, and frankly I know VERY few groups that are actually
doing PKI and doing it right.
What we have are a couple dozen certificate authorities that were deemed
trustworthy by Microsoft that do not pop up warnings, and the rest that
do pop up warnings that most people blissfully ignore. HTTPS is really
good for encryption, absolutely sucks in practice for trust.
--
Mark Allen Earnest
Lead Systems Programmer
Emerging Technologies
The Pennsylvania State University
KB3LYB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3200 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20050812/dfe5419b/attachment.bin>
More information about the cryptography
mailing list