James A. Donald wrote: > -- > From: Stephan Neuhaus > <[EMAIL PROTECTED]> > >>So, the optimism of the article's author aside, where >>*do* we stand on PKI deployment? > > > PKI's deployment to identify ssl servers is near one > hundred percent. PKI's deployment to sign and secure > email, and to identify users, is near zero and seems > unlikely to change. PGP has substantially superior > penetration.
I would rank it closer to 0% myself. Don't get me wrong, we have plenty of PK deployment with SSL servers, just no I. Anyone doing revocation checking? How do you even do it? CRL? Delta CRL? OSCP? Do any browsers really support these things? For those that do does any user actually know how to do it? PKI is a massive undertaking that many seem to confuse with just public key cryptography. Public key crypto is just one component of PKI, and frankly I know VERY few groups that are actually doing PKI and doing it right. What we have are a couple dozen certificate authorities that were deemed trustworthy by Microsoft that do not pop up warnings, and the rest that do pop up warnings that most people blissfully ignore. HTTPS is really good for encryption, absolutely sucks in practice for trust. -- Mark Allen Earnest Lead Systems Programmer Emerging Technologies The Pennsylvania State University KB3LYB
smime.p7s
Description: S/MIME Cryptographic Signature