[18826] in cryptography@c2.net mail archive
Re: Some thoughts on high-assurance certificates
daemon@ATHENA.MIT.EDU (Ian G)
Wed Nov 2 09:30:42 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 02 Nov 2005 14:02:54 +0000
From: Ian G <iang@systemics.com>
To: Ed Reed <ereed@novell.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>,
cryptography@metzdowd.com
In-Reply-To: <43677212.6FCD.00EC.0@novell.com>
Ed Reed wrote:
> Getting PKI baked into the every day representations people routinely
> manage seems desirable and necessary to me. The pricing model that has
> precluded that in the past (you need a separate PKi certificate for each
> INSURANCE policy?) is finally melting away. We may be ready to watch
> the maturation of the industry.
In your long and interesting email you outlined
some issues with the tool known as PKI. What I'm
curious about is why, given these issues and maybe
100 more documented elsewhere **, you propose that:
"Getting PKI baked into the every day representations
people routinely manage seems desirable and necessary to me."
We have this tool. It has many and huge issues.
What I don't understand is why the desire is so
strong to put this tool into play, when it has
singularly failed to prove itself?
Where does the bottom-up drive come from? Why is
it that what "people do routinely" isn't driven
top-down, so that the tools they need are application
driven, but is instead subjugated to the tools-first
approach, even against such negative experience and
theory?
iang
** some here: http://iang.org/ssl/pki_considered_harmful.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
