Re: [pki-tc] Fwd: PKI SC Status Reports Due Today

["Anders Rundgren" <anders.rundgren@telia.com>]

Steve,

>Anders, giving certs to servers and organizations
>is common practice with today's X.509 PKIs. Issuing
>certs to end-users is different, as you say. If you
>feel that there are barriers to server or domain PKI,
>could you describe them?   Note that I have read your
>paper at http://w1.181.telia.com/~u18116613/pki4org.pdf

I probably have a somewhat black-and-white view of PKI....

The "barrier" I see, is that by having servers do the signing, most of the
motivation behind exposing client-side PKI and associated directories,
roots, and policies outside of an organization disappears.

Essentially you separate internal and external security and let these
two things develop on their own.   On-line banks would IMHO hardly
have 100M + users if client-security in one bank would spill over
to all other banks.  That's at least my thesis FWIW.

To not unnecessary polarize things, I have recently begun to play with
schemes that unite these diverging PKI models, hopefully bringing out
the best of both worlds.  Or maybe it is just twice as hard?  :-)
Anyway, such a scheme has been submitted as a possible PKI
Workshop 2005 item.

thanx
Anders R