[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thin PKI won - You lost

To: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Subject: Re: Thin PKI won - You lost
From: Stephen Kent <kent@xxxxxxx>
Date: Fri, 15 Dec 2000 10:02:22 -0500
Cc: "PKIX-List" <ietf-pkix@xxxxxxx>
In-reply-to: <>
References: <>

At 11:31 AM +0100 12/15/00, Anders Rundgren wrote:

Hi Steve,
Do you remember the debate I started some 18 months ago when I launched the
"Thin PKI"/CyberPhone concept in this list?

http://www.mobilephones-tng.com/v100/dynamiccerts.html

The concept in a nutshell: When you engage in inter-organizational activities you let an
"organization server" vouch for its employees (clients) by signing (AC-like) credentials on the fly for
authentication, and signing outgoing transactions on the clients request. All this without using
any direct PKI-based "connection" between the client and the RP. BTW, the client does
not even have to use PKI!

You claimed that this was a bad idea, while I claimed that this is "the future for PKI".

After reading the S2ML-draft 0.7a I can inform you that this specification, which is supported by
VeriSign, RSA etc. use exactly this scheme for authentications and authorizations. And so does
BTW VISA's coming 3D-SSL payment solution as well.

Any comments? :-) :-)

Bad ideas are patentable, marketable, and may even be successful. What's your point?

My guess is that this will in a couple of years, smash quite a few PKI-projects into pieces!

For those who are engaged in federal or national PKIs, and Bridge-CAs etc.:

=== You are very likely to be on the wrong track! ===

We need thin "interoperable domains" (VISA's term) between organizations, not giant PKIs where
"everybody is talking to everybody" (certificate-wise). The banks use the former model, and although
banks cannot be accused for being hi-tech, they have anyway succeeded in doing advanced O2O/B2B-things
(even globally), supporting millions of ordinary users on the Internet, which none of the many
government-sponsored PKI-programs have achieved, or will ever achieve using current PKI-models.

Signature archival is a built-in feature using Thin PKI, instead of something that
you with great pains "glue" to a basically broken system.

The term "Thin PKI" was coined by me to denote the fact that you with a single cert+key could
"do anything" you'll ever need. It could actually be extended to organizations as well.

That interoperability becomes a no-issue (at least compared to the "classical" PKI approach), is
the fact that a single commercial TTP can w.o. problems certify millions of organizations.
I.e. much of this CA policy-stuff that some organizations are working with is in vain as most
organizations will buy pre-packaged products. "Trust" is actually something that has to be created within
organizations and that is (except for a few die-hard PKIers), virtually independent on CA policies.

Anders Rundgren
co-founder
X-OBI
+46 70 - 627 74 37

This sort of marketing rhetoric has no place on an IETF mailing list, including this one. If you can't restrict your contributions to technical discussions, we'll have to ask you to not pot to this list.

Steve

Follow-Ups:
- Classic PKI vs Thin PKI/S2ML
  - From: Anders Rundgren

References:
- Thin PKI won - You lost
  - From: Anders Rundgren

Prev by Date: PKIFailureInfo : Internal Error
Next by Date: Re: PKIFailureInfo : Internal Error
Previous by thread: Re: S2ML, Thin PKI and SPKI
Next by thread: Classic PKI vs Thin PKI/S2ML
Index(es):
- Date
- Thread