Eric Murray <[EMAIL PROTECTED]> writes:

> Too often people see something like Peter's statement above and say
> "oh, it's that nasty ASN.1 in X.509 that is the problem, so we'll just
> do it in XML instead and then it'll work fine" which is simply not true.
> The formatting of the certificates is such a minor issue that it is lost
> in the noise of the real problems.  And Peter publishes a fine tool
> for printing ASN.1, so the "human readable" argument is moot.

Actually, the ASN.1 part is a major factor in the X.509
interoperability problems.  Different cert vendors include different
extensions, or different encodings.  They put different information
into different parts of the certificate (or indeed the same
information into different parts).  Does the FQDN for a server cert
belong in the DN or some extension?  What about the email address for
a user cert?

> Note that there isn't a real running global PKI using SPKI
> or PGP either.

That's a different problem (namely that the "big guys" like RSA
Security, Microsoft, and Verisign don't sell PGP-enabled software or
PGP certificates).  PGP's problem is an integration problem, making
it easy to use for non-techies.  That has been the barrier to entry
for PGP.

> The largest problem with X.509 is that various market/political forces
> have allowed Verisign to dominate the cert market and charge way too
> much for them.  There is software operable by non-cryptographers that
> will generate reasonable cert reqs (it's not standard Openssl) but
> individuals and corporations alike balk at paying $300-700 for each cert.
> (yes I know about the free "individual" certs, the failure of
> S/MIME is a topic for another rant).

This is only part of the problem... It is not all of it.  Indeed the
cost (both in money, time, and headache) has always been a barrier to
entry.  I don't believe that market or political forces are the largest
problem with X.509....  I will certainly agree that the cost is a
major impediment.

The question is:  how do we convince M$ and Netscape to include something
else in their software?  If it's not supported in IE, then it wont be
available to the vast majority of users out there.


       Derek Atkins
       Computer and Internet Security Consultant

Reply via email to