On Tue, 30 Sep 2008 12:05:28 -0400
Sam Hartman <[EMAIL PROTECTED]> wrote:
> It's certainly true that some people in the room spoke out against
> certificates. At least some of the reasons given did not actually
> inherently apply to certificates as a whole although they did create
> some significant constraints for what would not create operational
> problems.
>
Right. There's a big misconception in the world that using
certificates inherently requires a massive, complex infrastructure
that's best handled by third parties. In reality, using certificates
within an enterprise need be no more complex than handing out or
accepting passwords. All you need is a simple wrapper around something
like OpenSSL. You don't need formal root certificate ceremonies, you
don't need court-certified videographers, you don't need high priests
waving incense and anointing the certificate-signer machine with a
mixture of cow innards and ground-up prime numbers. (That's what OCSP
is about: Offal of Cow Sprinkled with Primes....) Whoever hands out
address blocks within the company can sign the certificates -- it's
that simple. I sometimes refer to this as the difference between "PKI"
and "pki" -- for enterprises, you need the latter.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
