[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Thin PKI won - You lost

To: "Stephen Kent" <kent@xxxxxxx>, "PKIX-List" <ietf-pkix@xxxxxxx>
Subject: Thin PKI won - You lost
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Date: Fri, 15 Dec 2000 11:31:56 +0100

Hi Steve,
Do you remember the debate I started some 18 months ago when I launched the
"Thin PKI"/CyberPhone concept in this list?

http://www.mobilephones-tng.com/v100/dynamiccerts.html

The concept in a nutshell: When you engage in inter-organizational activities you let an
"organization server" vouch for its employees (clients) by signing (AC-like) credentials on the fly for
authentication, and signing outgoing transactions on the clients request. All this without using
any direct PKI-based "connection" between the client and the RP. BTW, the client does
not even have to use PKI!

You claimed that this was a bad idea, while I claimed that this is "the future for PKI".

After reading the S2ML-draft 0.7a I can inform you that this specification, which is supported by
VeriSign, RSA etc. use exactly this scheme for authentications and authorizations. And so does
BTW VISA's coming 3D-SSL payment solution as well.

Any comments? :-) :-)

My guess is that this will in a couple of years, smash quite a few PKI-projects into pieces!

For those who are engaged in federal or national PKIs, and Bridge-CAs etc.:

=== You are very likely to be on the wrong track! ===

We need thin "interoperable domains" (VISA's term) between organizations, not giant PKIs where
"everybody is talking to everybody" (certificate-wise). The banks use the former model, and although
banks cannot be accused for being hi-tech, they have anyway succeeded in doing advanced O2O/B2B-things
(even globally), supporting millions of ordinary users on the Internet, which none of the many
government-sponsored PKI-programs have achieved, or will ever achieve using current PKI-models.

Signature archival is a built-in feature using Thin PKI, instead of something that
you with great pains "glue" to a basically broken system.

The term "Thin PKI" was coined by me to denote the fact that you with a single cert+key could
"do anything" you'll ever need. It could actually be extended to organizations as well.

That interoperability becomes a no-issue (at least compared to the "classical" PKI approach), is
the fact that a single commercial TTP can w.o. problems certify millions of organizations.
I.e. much of this CA policy-stuff that some organizations are working with is in vain as most
organizations will buy pre-packaged products. "Trust" is actually something that has to be created within
organizations and that is (except for a few die-hard PKIers), virtually independent on CA policies.

Anders Rundgren
co-founder
X-OBI
+46 70 - 627 74 37

Follow-Ups:
- Re: Thin PKI won - You lost
  - From: Stephen Kent
- Re: Thin PKI won - You lost
  - From: Camillo Särs

Prev by Date: Change in job
Next by Date: Re: Thin PKI won - You lost
Previous by thread: Change in job
Next by thread: Re: Thin PKI won - You lost
Index(es):
- Date
- Thread