[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pki-tc] Fwd: PKI SC Status Reports Due Today
OK, so you don't see any special barriers to server or domain PKI. The main problem is that user certs are hard and people sometimes incorrectly conclude that these difficulties carry over to server PKI. Also that you think too much attention is given to solving the problems with user certs, especially recognizing them across organizational boundaries. That clears it up. Thanks, Steve Anders Rundgren wrote: > Steve, > > >>Anders, giving certs to servers and organizations >>is common practice with today's X.509 PKIs. Issuing >>certs to end-users is different, as you say. If you >>feel that there are barriers to server or domain PKI, >>could you describe them? Note that I have read your >>paper at http://w1.181.telia.com/~u18116613/pki4org.pdf > > > I probably have a somewhat black-and-white view of PKI.... > > The "barrier" I see, is that by having servers do the signing, most of the > motivation behind exposing client-side PKI and associated directories, > roots, and policies outside of an organization disappears. > > Essentially you separate internal and external security and let these > two things develop on their own. On-line banks would IMHO hardly > have 100M + users if client-security in one bank would spill over > to all other banks. That's at least my thesis FWIW. > > To not unnecessary polarize things, I have recently begun to play with > schemes that unite these diverging PKI models, hopefully bringing out > the best of both worlds. Or maybe it is just twice as hard? :-) > Anyway, such a scheme has been submitted as a possible PKI > Workshop 2005 item. > > thanx > Anders R
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]