ID "theft" -- so what?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Jul 17 11:06:42 EDT 2005
John Kelsey <kelsey.j at ix.netcom.com> writes:
>One nontrivial reason is that many organizations have spent a lot of time and
>money building up elaborate rules for using PKI, after long negotiations
>between legal and technical people, many hours of writing and revising,
>gazillions of dollars in consultants' time, etc. So, anytime you start doing
>anything involving public key cryptography, all this machinery gets invoked,
>for bureaucratic reasons. That is, you've now trespassed on PKI turf, and
>you'll have to comply with this enormous set of rules.
I've seen this happen on many occasions, one example being the posting I made
to this list a few months ago where an organisation had spent so much money
setting up a PKI that they then had to use it (even though it was totally
unnecesary for what they were doing) simply because it was there.
>I know of a couple cases where this led to really irritating results. In
>one, a friend of mine was using a digital signature to verify some fairly
>trivial thing, but was told it was against policy to use a digital signature
>without the whole PKI.
Been there, seen that. You're well into layers 8 and 9 whenever anything
related to PKI is involved. I think the fact that PKI is so strong at
enabling layers 8+9 is its great appeal to the inhabitants of said layers.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list