John Kelsey <[EMAIL PROTECTED]> writes: >One nontrivial reason is that many organizations have spent a lot of time and >money building up elaborate rules for using PKI, after long negotiations >between legal and technical people, many hours of writing and revising, >gazillions of dollars in consultants' time, etc. So, anytime you start doing >anything involving public key cryptography, all this machinery gets invoked, >for bureaucratic reasons. That is, you've now trespassed on PKI turf, and >you'll have to comply with this enormous set of rules.
I've seen this happen on many occasions, one example being the posting I made to this list a few months ago where an organisation had spent so much money setting up a PKI that they then had to use it (even though it was totally unnecesary for what they were doing) simply because it was there. >I know of a couple cases where this led to really irritating results. In >one, a friend of mine was using a digital signature to verify some fairly >trivial thing, but was told it was against policy to use a digital signature >without the whole PKI. Been there, seen that. You're well into layers 8 and 9 whenever anything related to PKI is involved. I think the fact that PKI is so strong at enabling layers 8+9 is its great appeal to the inhabitants of said layers. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]