On Thu, Nov 30, 2006 at 04:18:12PM -0800, Stewart Stremler wrote: > > If you can just find ONE CA you trust, > > base all your security on > > *their* cert perhaps > > And force your customers to use that CA as well? > > Not so good for the customer.
Well this thread has convinced me that a universal secure & practical PKI system is likely impossible today. I remain optimistic about 'niche' PKI rollouts within limited domains. For example, the DoD with their smart card systems *is* able to force everyone to use the same CA. *This* PKI seems AFAIK to work well within their enclave. So don't lose faith in PKI yet....just don't expect it to be as universally convenient as the TCP/IP protocol. :( Chris -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
