On 1/11/06, Andrew Patterson <[EMAIL PROTECTED]> wrote: > > Firstly, I think there needs to be a separation of the technical > and legal.. technically, it would be trivial for Argus to support > multiple CA roots, and in fact every PKI library I've ever used > supports multiple CA roots by default. Furthermore, the barrier > to creating your own CA root is minimal - I could generate a > CA and give you all certificates tomorrow and we could all > send each other PKI emails that are perfectly secure.. so > technically pretty much everything about PKI is easy > (well, I'm being a bit glib, but its all relatively easy)
Yes, PKI makes for a fascinating study of what goes wrong when random numbers collide with people trying to attach some significance to them. :) > Perhaps the > real answer is a multitude of certificates and CA's, > ranging from personal email certificates merely to > encrypt email, ranging up to 100 points of id, sign > my life away certificates for medicare claiming, > prescription writing etc. There are already a multitude of CAs; and certs are issued for different purposes. This is where the 'I' comes into PKI, and this is when implementation starts to get harder because you have to get everyone to agree on the meaning of all the cert properties. Constructing small-i silos of meaning and operation (ala the Hesa approach: provide the certificate with an api!) is much more straightforward as you say. Another major problem of 'security' technology in general, is trying to present it to the user in some sort of meaningful way. Remember when people used to say about https: "the lock icon means you can trust the website with your credit card details"? hmm... maybe people still say that. I do prefer the PGP model: "Hello, here's my certificate. You know me, and it has my name on it, so let's start communicating. You don't know me? Oh, but your friends do and they're using my certificate... so you can too!" hehe... i just had a mental image of PGP key signing parties in Canberra! Actually, Canberra strikes me as a good place for PGP! doug. _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
