Peter Gutmann wrote:
-- Snip --
As Carl Ellison put it, "Plenty of PK, precious little I".
slightly related URL from this morning
Browser Certs Can't Force Adherence
http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=198000131
in the past, i've repeatedly asserted that the "I" in PKI filled a need related
to
letters of credit/introduction left-over from the offline, sailing ship days.
In on online world, such "I" tends to be redundant and superfluous ...
typically representing
an (expensive) duplication of other facilities.
Another way of looking at it is that typically cryptography has represented
some aspect
of security ... and frequently the common wisdom is that security is something
that is best when built into the basic core business processes and
infrastructure ... rather than
some independent add-on. This possibly has contributed to failure of most
attempts to
create large revenue flow for some independent crypto/security feature (which
frequently
is a characteristic of PKI deployments).
An example is some early to mid 90s proposed PKI deployments as an electronic
driver's
license. The (driver's license) PKI certificate supposedly would be grossly
overloaded with personal information ... creating enormous privacy issues. Reliance on
information in the (PKI electronic) driver's license would be substituted for
the growing
use of (online) real-time checks .... along with eliminating any of the
information
that was becoming available from real-time checking (outstanding warrants,
revocation,
overdue parking tickets, etc). Any claims as to real-time checks still could be
done,
further highlighted the PKI part being a significantly expensive redundant and
superfluous
operation.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
