At 11:41 PM 9/2/2003 -0700, James A. Donald wrote:
True names is where security took the wrong branch.  The entire
PKI structure has been rejected.

x.509 identity certificates are business processes ... not a cryptography process. as I've mentioned elsewhere many of the institutions that looked at x.509 identity certificates in the early 90s had retrenched to relying-party-only certificates with just some sort of account number and public key. The problem of overloading a x.509 identity certificate with lots of privacy information turned out to be an enormous identity and liability problem. Part of the issue was creating a certificate at some time in the past and attempting to guess at what might be needed by various random relying-parties in the future ... led to overloading certificates with ever increasing privacy detail loaded. One of the content models was driver's license, name, address, date-of-birth. date-of-birth is an obvious identity theft vulnerability. The idea of randomly spraying your privacy detail all over the earth (attached to every electronic operation) turned out to be significant issues. Even just having your name attached to every electronic operation and sprayed all over the world represented a significant issue.


recent post in sci.crypt:
http://www.garlic.com/~lynn/2003l.html#33 RSA vs AES

and slightly related post (also from sci.crypt):
http://www.garlic.com/~lynn/2003l.html#36 Proposal for a new PKI model


--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm



--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to