On Jul 8, 2008, at 2:46 PM, Carol Lerche wrote: > I am puzzled about the PKI infrastructure you envision. I envision > having a > private certificate authority that runs on the teacher's XO and > keeps its > keystore on a USB thumb drive.
To summarize for those who haven't heard me rant about this in person: actual PKI is almost never the answer. It is a question, and the answer is "hell, no." While you may believe the setup you have in mind is easy and uncomplicated, the odds are *overwhelmingly*, **super-stunningly** stacked against you to make PKI work the way you want in production. The fact that TLS client certs, in particular, have zero commercial end-user deployment uptake, should tell you something. I cannot recommend more strongly to stay the bloody hell away from the entire real PKI/X.509/CAs morass. A solution based on e.g. SSH and key continuity is, while certainly less traditional, enormously likely to work out better in practice. -- Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org _______________________________________________ Devel mailing list [email protected] http://lists.laptop.org/listinfo/devel
