Any use PKI?? (Pubkic Key Infrastructure) for anything? What?
bofh at stremler.net
Sun Mar 31 00:01:38 PST 2002
begin quoting Tracy R Reed as of Sat, Mar 30, 2002 at 10:38:02PM -0800:
> I am very much against certificate authorities. It's too important a job
> to completely centralize. They have failed in the past and they will fail
> again. Verisign has issued certificates for keys claiming to belong to
> organisations which they did not. Not only that but they are hideously
> expensive for what they do and they have a practical monopoly on the CA
> market because the most widely used browsers only support a small handful
> of CA's. Only I and others you trust to do so can vouch for my public key.
Um, when was the last time you *looked* at what CAs were trusted by
your browser? (It took a long afternoon to wade through the one that
was installed by default with Netscape 4.78....)
I agree with sentences #2 and #3, and remember #4, but I disagree with
#1...sorta. CA's make perfect sense in (large) hierarchal organizations,
with the organization itself running the CA.
I do not think that having "Commercial" CAs makes much sense -- unless
there's some Escrow and Insurance characteristics involved. A screw-up,
like the sort Verisign has made in the past, should be a very expensive
mistake for such a company, if not fatal to the corporation. Making a
"commercial" CA legally and fiscally responsible for their services would
go a long way in making such services trustworthy.
But it makes sense for VeryBigCorp, Inc., to run a CA or group of CAs
and then require that all employees possess the appropriate certificates.
As all the certificates generated are for employees, there's a modicum
of security, at least at the level that makes sense within the organization.
(The DoD runs their own CAs... and this makes sense, to me.)
Making that CA available to those who do business with VeryBigCorp, Inc.,
would be a natural and useful step. You'd end up building up that PGP-like
"web of trust" at a much higher level: "I believe that _this_ CA is _that_
business that I just wrote a check to for $25,000"...
-Stewart "A Certificate Authority in every pot." Stremler
More information about the KPLUG-List