[EMAIL PROTECTED] wrote: > On Fri, Dec 01, 2006 at 12:03:43PM -0800, Stewart Stremler wrote: >> Too bad the infrastructure on the OS / client end of things is so shaky. >> It seems like it takes a lot of work to set up and manage a CA, so that >> the cost of setting up such a thing -- especially a reliable one -- is >> really quite high. > > Oh? In what way? Are you saying even with good open source software on CA and > client end that a good private niche PKI system is still shaky and expensive? > Why?
I'm sure you know that security is always going to involve a trade off with convenience (etc), and that perfect security has infinite cost. PKI systems are very neat, but can be shaky by not being carefully implemented or by allowing loose practices. There is a significant amount of infrastructure behind the CA operations: Registration, Certification, Revocation (commonly ignored!), Online Validation (maybe). Doing it right requires commitment as well as investment. I don't believe I've ever seen a button on any client that says "do you want to check revocation lists now?". Regards, ..jim -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
