Hi, > I prefer trying to help people manage risk. People have assets that > they would like to protect. What matters to them is > > 1) The cost of protecting those assets (financial and non-financial) > 2) The value of those assets (financial, human, etc.) 3) The > reduction in risk that is achieved > Obviously it is good to be able to measure those things but I am > pretty sure that reducing the number of trusted parties is not a > goal.
The trouble with the risks we're facing it that they are extremely unlikely, yet have a high impact. If you're arguing that risk management does not lead to the conclusion "fewer TTPs", you need to show how you get to that conclusion. Take the few numbers we have. 150+ recognised root certificates in a browsers, distributed over 50+ organisations (I'm referring to Mozilla). Exact numbers may be higher, but depend on how you count. Yet both Nasko Oskov and Ivan Ristic (and actually, our group, too) have shown that most of these TTPs are not needed. Just one or two handful of TTPs have issued 95% of certificates. Considering the high impact, the conclusion that I view as more likely is that less TTPs in X.509 is a good idea. Of course, if you're arguing you actually want to move away from X.509 and towards, say, SK, the story may be different. Ralph -- Dipl.-Inform. Ralph Holz I8: Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
