PKI: The terrorists' secret weapon

[Anne & Lynn Wheeler]

Peter Gutmann wrote:
> 
> -- Snip --
> 
> As Carl Ellison put it, "Plenty of PK, precious little I".

slightly related URL from this morning

Browser Certs Can't Force Adherence 
http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=198000131

in the past, i've repeatedly asserted that the "I" in PKI filled a need related to
letters of credit/introduction left-over from the offline, sailing ship days.

In on online world, such "I" tends to be redundant and superfluous ... typically representing
an (expensive) duplication of other facilities. 

Another way of looking at it is that typically cryptography has represented some aspect
of security ... and frequently the common wisdom is that security is something
that is best when built into the basic core business processes and infrastructure ... rather than
some independent add-on. This possibly has contributed to failure of most attempts to
create large revenue flow for some independent crypto/security feature (which frequently
is a characteristic of PKI deployments).

An example is some early to mid 90s proposed PKI deployments as an electronic driver's
license. The (driver's license) PKI certificate supposedly would be grossly 
overloaded with personal information ... creating enormous privacy issues.  Reliance on
information in the (PKI electronic) driver's license would be substituted for the growing
use of (online) real-time checks .... along with eliminating any of the information
that was becoming available from real-time checking (outstanding warrants, revocation,
overdue parking tickets, etc). Any claims as to real-time checks still could be done,
further highlighted the PKI part being a significantly expensive redundant and superfluous
operation.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com