ID "theft" -- so what?

[Peter Gutmann]

John Kelsey <kelsey.j at ix.netcom.com> writes:

>One nontrivial reason is that many organizations have spent a lot of time and
>money building up elaborate rules for using PKI, after long negotiations
>between legal and technical people, many hours of writing and revising,
>gazillions of dollars in consultants' time, etc.  So, anytime you start doing
>anything involving public key cryptography, all this machinery gets invoked,
>for bureaucratic reasons.  That is, you've now trespassed on PKI turf, and
>you'll have to comply with this enormous set of rules.

I've seen this happen on many occasions, one example being the posting I made
to this list a few months ago where an organisation had spent so much money
setting up a PKI that they then had to use it (even though it was totally
unnecesary for what they were doing) simply because it was there.

>I know of a couple cases where this led to really irritating results.  In
>one, a friend of mine was using a digital signature to verify some fairly
>trivial thing, but was told it was against policy to use a digital signature
>without the whole PKI.

Been there, seen that.  You're well into layers 8 and 9 whenever anything
related to PKI is involved.  I think the fact that PKI is so strong at
enabling layers 8+9 is its great appeal to the inhabitants of said layers.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com