Commercial CA's are a red herring. Key distribution will always be a challenge, and commercial CA's are unlikely to ever be the right/best solution. However, public key crypto changes the problem from "secure two-way channel" to "tamper-proof advertisement."
Example: the fact that the BERKELEY.EDU kdc admin had to add an entry to the kdc for my AFS server *just so that I could verify the identities of its users* is a technological anachronism. All that should have been necessary is for me to access a place where some "BERKELEY.EDU public key" is reliably advertised. Any requirement stronger than that is a needless burden. - a _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
