Ed Gerck wrote: > PGP is public-key email without PKI. So is IBE. And yet neither of them has > all the identical, same basic components that PKI also needs. Now, when you > look at the paper on email security at > http://email-security.net/papers/pki-pgp-ibe.htm > you see that the issue of what components PKI needs (or not) is not > relevant to the analysis.
usually when you are doing baseline ... you start with the simplest, evaluate that and then incrementally add complexity. in that sense PGP is much closer to the simplest baseline ... and PKI becomes added complexity ... inverting you classification; email PKI is PGP with digital certificates added. you then could add various layers of public key operation where the relying parties have direct access to the information in one way or another and therefor don't require stale, static, armored cached copies (digital certificate) of the real information. then you can go thru numerous layers of PKI ... are the relying parties and the digital certificate creators part of the same business organizations ... and therefor require neither contractual relationship and/or CPS as a substitute for contractual relationship. then add trusted third party certification authority PKI ... where the relying parties and the certification authorities have direction contractual relationship and thefore don't require CPS as a substitute for contractual relationship. it is when you get to trusted third party certification authority PKI ... where the relying parties and the ttp/ca are part of totally different business operations and have no contractual relationship that you then get into the issue of how does a relying party actually know than it should be trusting a ttp/ca. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]