|
Dave,
There are many other problems with bridge
CAs:
Although private sector competitors funding a
common bridge CA indeed is a cute idea it simply has nothing to do with
reality.
Using SCVP (and similar), each company can
administer PKI trust in a completely distributed way and being as discriminative
they want as well.
The day VISA, Amex and MasterCard
cross-certifies each other in order to simplify trust management for
merchants, I will though back from my position that "The Bridge CA is dead,
long live the Bridge CA".
Regards
Anders Rundgren
----- Original Message -----
From: Dave
Engberg
To: pkix
Sent: Saturday, July 07, 2007 17:49
Subject: Re: draft-ietf-pkix-scvp-32.txt I disagree. SCVP is a protocol that can make complex PKIs work. The big problem with a federated PKI using bridged and cross-certified CAs is that it forces the relying party to do too much work in crawling the CA network and checking the revocation of every link. This has an unacceptable risk of failure unless every server and service in the network is 100% reliable and available. SCVP moves the path discovery and validation to a server which can be configured to do much more intelligent caching, pre-fetching, etc. SCVP in DPD mode is perfect for this. As new CAs join the bridged network, they will "automatically" be usable by the server and clients without having to add yet another hard-coded root CA into a massive trust list. Anders Rundgren wrote:
|