periodically, some of the PKI related comments remind me of some stories about power production from the 70s.
some of the '70s energy stories focused on the different quality of support for power generation technologies based on whether they were institutional centric (and would be able to charge for delivery) vis-a-vis individual oriented generation technologies (even when they involved identical/same/similar solar, wind, etc energy sources). one of the issues from the energy stories of the 70s was that institutional centric solutions frequently collected a lot more backing because proponents were willing to put the effort into the activity in anticipation of revenue flows. however, there are sometimes significant differences between the PKI institutional centric operations and institutional power generation operations. The power being generated (and delivered) tends to be relatively standard and individuals may view it a reasonable trade-off to have it supported by large institution rather than being responsible for their own power generation installations. There tends to be a much larger variation in the types of things which PKI relying-parties are interested in haved certified by some PKI certification authority (somewhat different from bland uniform power production operation). Furthermore, PKI relying-parties frequently may still operate a significant relationship management infrastructure of their own ... where the information being certified by a trusted 3rd-party certification authority represents a tiny fraction of the information that a production relying party will be keeping. In these situations, once a relying-party has to operate their own relationahip management infrastructure of any significance, then the benefit of any certification added value by a trusted 3rd-party certification authority becomes marginal at best. Once a relying-party is operating any significant relationship management infrastructure of their own, any certification done by some 3rd party certification authority frequently becomes redundant and superfluous. It then follows, if the certification by some 3rd party certification authority becomes redundant and superfluous, the associaed digital certificate (representing that certification operation) then also becomes redundant and superfluous. A trivial example in p2p ... is an individual doesn't necessarily know that the presentation of a "John Smith" x.509 identity certificate in any way corresponds to a specific "John Smith" that the relying-party individual is familiar with. They are frequently going to still rely on some locally maintained repository as well as additional out-of-band and/or other communication processes. Once they have done that ... then the incrmeental effort to also include the other individual's public key becomes trivial (at least from a high-level business process and information theory standpoint). This, in turn, renders any added value from a trusted 3rd party certificate authority (and their digital certificaes) marginal at best. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
