Eric Murray <[EMAIL PROTECTED]> writes: > Too often people see something like Peter's statement above and say > "oh, it's that nasty ASN.1 in X.509 that is the problem, so we'll just > do it in XML instead and then it'll work fine" which is simply not true. > The formatting of the certificates is such a minor issue that it is lost > in the noise of the real problems. And Peter publishes a fine tool > for printing ASN.1, so the "human readable" argument is moot.
Actually, the ASN.1 part is a major factor in the X.509 interoperability problems. Different cert vendors include different extensions, or different encodings. They put different information into different parts of the certificate (or indeed the same information into different parts). Does the FQDN for a server cert belong in the DN or some extension? What about the email address for a user cert? > Note that there isn't a real running global PKI using SPKI > or PGP either. That's a different problem (namely that the "big guys" like RSA Security, Microsoft, and Verisign don't sell PGP-enabled software or PGP certificates). PGP's problem is an integration problem, making it easy to use for non-techies. That has been the barrier to entry for PGP. > The largest problem with X.509 is that various market/political forces > have allowed Verisign to dominate the cert market and charge way too > much for them. There is software operable by non-cryptographers that > will generate reasonable cert reqs (it's not standard Openssl) but > individuals and corporations alike balk at paying $300-700 for each cert. > (yes I know about the free "individual" certs, the failure of > S/MIME is a topic for another rant). This is only part of the problem... It is not all of it. Indeed the cost (both in money, time, and headache) has always been a barrier to entry. I don't believe that market or political forces are the largest problem with X.509.... I will certainly agree that the cost is a major impediment. The question is: how do we convince M$ and Netscape to include something else in their software? If it's not supported in IE, then it wont be available to the vast majority of users out there. -derek -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com