On 07/28/2010 11:05 AM, Nicolas Williams wrote:
Are you arguing for Kerberos for Internet-scale deployment?  Or simply
for PKI with rp-only certs and OCSP?  Or other "federated"
authentication mechanism?  Or all of the above?  :)

as i've mentioned ... the relying-party-only certificates are almost always 
redundant and superfluous ... except in cases where the relying party can't 
justify their own repository of information and/or distributed access to such a 
repository of information.

I previously mentioned that in the payment transaction case, even a 
relying-party-only certificate was a factor of 100-times payload size bloat for 
typical payment transactions ... aka not only was the certificate redundant and 
superfluous ... but it represented an enormous (redundant and superfluous) 
processing burden.

I've mentioned a number of times that OCSP appeared after I had repeatedly ridiculed 
revokation process being archaic backwards step for real-time payment processes. And that 
even OCSP (with a certificate) is still redundant and superfluous when real-time 
transaction is being performed using the "real" information.

the other scenario for rpo-certs ... besides for no-value operations ...  is 
when the real infrastructure is down and/or not accessible. But that usually is 
matter of cost also, some of the higher-value operations have gone to 
significant redundancy and claim 100% availability. The certificate analogy is 
still the letters of credit/introduction from sailing ship days ... when the 
relying-party had no (other) access to first time interaction with complete 
stranger (and has to fall back to much cruder and lower quality information).

There is also some scenario if the respository and the service are co-located 
... that when the repository is unavailable the service will also be 
unavailable ... so there is no requirement for independent source of 

The catch22 for certification authority operation ... is that as they move further 
& further into the no-value market niches (and/or market niches that can't 
justify the expense of higher quality operation with real-time repository) ... they 
are forced to cut their fees and indirectly the quality of their operation.

virtualization experience starting Jan1968, online at home since Mar1970

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to