> I realize that that scenario doesn't fit the business model > of current TTP CAs very well, and at the same time I observe > that the do it yourself model of CA toolkits isn't selling > very well in the marketplace either. So I don't know whether > that model is really feasible either ? it certainly hasn't > done all that well to date. The key to any complex system is where you put the complexity. The idea of XKMS and SAML is to put the complexity where it is easily accessible for maintenance as necessary. The unfortunate side effect of the 'end to end' theology is that too much complexity got embedded into the end points which cannot be maintained reliably on a day to day basis and once deployed may be in service for years or decades. To make an analogy, the XKMS approach is equivalent to putting the access panel to the compressor on the side of the hot tub, the PKIX approach is putting the access panel underneath it. The disadvantage of the SAML/XKMS approach is that it lowers the barrier to entry for the end point but transfers that cost to the infrastructure. Ten years ago no party had the necessary capital to invest in the infrastructure required. Today much of the physical infrastructure is a sunk cost. To make another analogy, the first electricity companies sold package generators to individual factories, that model was quickly replaced by the model in which one large paower station served an entire town and the capital and maintenance costs were distributed over many more users gaining economies of scale. Phill
Attachment:
Phillip Hallam-Baker (E-mail).vcf
Description: Binary data