begin quoting [EMAIL PROTECTED] as of Fri, Dec 01, 2006 at 11:06:47AM -0800: > On Thu, Nov 30, 2006 at 04:18:12PM -0800, Stewart Stremler wrote: > > > If you can just find ONE CA you trust, > > > base all your security on > > > *their* cert perhaps > > > > And force your customers to use that CA as well? > > > > Not so good for the customer. > > Well this thread has convinced me that a universal secure & practical PKI > system is likely impossible today.
Key word: universal. That makes it hard. > I remain optimistic about 'niche' PKI rollouts > within limited domains. For example, the DoD with their smart card systems > *is* able to force everyone to use the same CA. *This* PKI seems AFAIK > to work well within their enclave. Yes indeedy. Too bad the infrastructure on the OS / client end of things is so shaky. It seems like it takes a lot of work to set up and manage a CA, so that the cost of setting up such a thing -- especially a reliable one -- is really quite high. > So don't lose faith in PKI yet....just > don't expect it to be as universally convenient as the TCP/IP protocol. :( Where did you get the idea that TCP/IP was universally convenient? :) As I understand it, the backbones use ATM, clusters go to things like Myrinet, embedded systems still rely on customer protocols over serial links, etc. etc. SLIP and PPP impose nigh-unacceptable overhead (I stuck with straight dialup until I go go to broadband, as tcp/ip over a modem was emphatically not convenient). . . -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
