Another entry in the internet security hall of shame....

[Anne & Lynn Wheeler]

periodically, some of the PKI related comments remind me of some stories
about power production from the 70s.

some of the '70s energy stories focused on the different quality of
support for power generation technologies based on whether they were
institutional centric (and would be able to charge for delivery)
vis-a-vis individual oriented generation technologies (even when they
involved identical/same/similar solar, wind, etc energy sources). one of
the issues from the energy stories of the 70s was that institutional
centric solutions frequently collected a lot more backing because
proponents were willing to put the effort into the activity in
anticipation of revenue flows.

however, there are sometimes significant differences between the PKI
institutional centric operations and institutional power generation
operations. The power being generated (and delivered) tends to be
relatively standard and individuals may view it a reasonable trade-off
to have it supported by large institution rather than being responsible
for their own power generation installations.

There tends to be a much larger variation in the types of things which
PKI relying-parties are interested in haved certified by some PKI
certification authority (somewhat different from bland uniform power
production operation).

Furthermore, PKI relying-parties frequently may still operate a
significant relationship management infrastructure of their own ...
where the information being certified by a trusted 3rd-party
certification authority represents a tiny fraction of the information
that a production relying party will be keeping. In these situations,
once a relying-party has to operate their own relationahip management
infrastructure of any significance, then the benefit of any
certification added value by a trusted 3rd-party certification authority
becomes marginal at best.

Once a relying-party is operating any significant relationship
management infrastructure of their own, any certification done by some
3rd party certification authority frequently becomes redundant and
superfluous. It then follows, if the certification by some 3rd party
certification authority becomes redundant and superfluous, the associaed
digital certificate (representing that certification operation) then
also becomes redundant and superfluous.

A trivial example in p2p ... is an individual doesn't necessarily know
that the presentation of a "John Smith" x.509 identity certificate in
any way corresponds to a specific "John Smith" that the relying-party
individual is familiar with. They are frequently going to still rely on
some locally maintained repository as well as additional out-of-band
and/or other communication processes. Once they have done that ... then
the incrmeental effort to also include the other individual's public key
becomes trivial (at least from a high-level business process and
information theory standpoint). This, in turn, renders any added value
from a trusted 3rd party certificate authority (and their digital
certificaes) marginal at best.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com