David W Forslund wrote:
> The issue of PKI is securing the CA and this
> currently is an expensive proposition.
>
I wish it was just securing the CA. It'also about
the client side, where the private key's are stored and how
they are accessed for key operations and what assurances
any of us have that any given userid can be associated with those
key operations. You need a well run system with good policies and procedure to
ensure identity.
It's also about: I do a key operation, decrypt the data, change it
and send it back. A different set of cryptographic operations can
detect this but you need a trusted system in place and a trusted third party
to administer it. You need a well run system with good policies and procedures
to ensure integrity.
It's about the lifetime of cryptographic operations. Yesterday's 56 bit keys
were good enough, but today they are not. Yesterdays DES algorithm was ok, but
today we want AES. That means, in all probability, that 50 year old documents
secured using then current cryptographic technology are totally insecure. This
doesn't matter for e-commerce, where the lifetime of the transaction ends when
the payment is made. This also doesn't matter for on-the-wire encryption such as
SSL, because it is a one time transient event. Those are the kinds of systems that
have the most design time and practical experience put into them. You need a well
run system with good policies and procedures to maintain long term records.
