I would tend to make the statement even stronger.
large, complex legacy systems tend to have slow technology uptake. most of the certification authorities can be deployed in simple demos w/o impacting the legacy systems and business process (possibly as a front-end process that is pealed off before turning things over to the legacy business process). if you have legacy business process designed to support millions or hundreds of millions of customers ... then any change to that system tends to be significantly more expensive than a stand-alone certification authority demo for a couple hundred. The problem has been the cross over from toy-demo to real production. In general, the legacy infrastructures and business processes have been put into place for perfectly valid reasons .... even if somewhat slow to change. I'm acquanted with one example where a single screen update (as part of a new function rollout) to a customer call-center supporting tens of million customer environment cost more than a dozen or so certification authority demo systems. The issue was that call center was highly optimized and had significant investment to scale into handling tens of millions of customers very, very efficiently. To optimize a single screen & get it integrated into a real live production environment required some amount of investment. Such things as customer call-centers (not to mention scallable customer call centers, scallable administrative and management infrastructure, etc) for a customer service oriented operation .... could be totally ignored when testing purely demo operations. However, even with the cost of modifying a legacy operation .... where authentication is integrated into the standard every day business processes .... is significantly cheaper than trying to treat authentication as an independent service (and build a separate scallable infrastructure that real customer service orientation involves). As an aside point ... I've found very few business operations that go around trying to perform authentication operations purely for the sake and enjoyment of performing authentication operations. For the most part, businesses will perform authentication operations (typically viewed as overhead or cost issue) as part of some real, productive business service (a revenue issue). I find it difficult to come up with a whole lot of scenarios where cost overhead (authentication) operations are performed for no business (revenue) purpose. As mentioned in prior posting http://www.garlic.com/~lynn/aadsm9.htm#cfppki6 given that authentication is being performed as part of some business process or function ... then it is normally trivial to show it is easier to have authentication (even digital signature authentication) integrated into such business processes .... and correspondingly easy to show that certificate-based operations are redundant, superfulous and extraneous (modulo the issue of toy demos are cheaper than modifying production business operations). [EMAIL PROTECTED] on 12/28/2001 3:41 am wrote: Naah, it's the monorail/videophone/SST of security. Looks great at the World Fair, but a bit difficult to turn into a reality outside the fairgrounds. Peter (who would like to say that observation was original, but it was actually stolen from Scott Guthery). --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
