RE: NEW Data type for certificate selection ?

[Anders Rundgren <anders.rundgren@xxxxxxxxxx>]

Ed,
You failed to comment on the *technical* part of my suggestion and went
immediately to politics!  Please spend some time on that part in spite
of the fact that you think Swedes are morons (we must be as we have used PPITs
extensively the last 30 years or so).  And even morons want solutions to their
stupid little problems. :-)

Note that unlike some certificates, certificates with PPITs
are never published on a directory server. You may though check its status with
OCSP or similar in case you (as a trusted party) received such a certificate. 

>> but to allow users to authenticate themselves
>>using a valid certificate (be it electronical or physical) where the certificate
>>receiver only must know what issuers (and domain) to trust.  

>This has nothing to do with YAPITs. It has to do with issuer trust
>and key challenge-response. 

Not at all. challenge-response verifies that you really are in the possession of the certificate.
In the physical world you compare the ID-card picture with the face of the card-holder.

>Each country/company/person can do as they please, but in a
>competitive world market the one with least information exposure has
>a large advantadge. BTW, is that not what security is all about ? ;-)

Security has many faces.  That you really are communicating with the right person is one example :-)  

In the competitive world market there are always tradeoffs between "features" that
usually are in some conflict with each other.  Like price and speed.

Convenience is also a selling point

Giving a PPIT to an employer is not the same thing as giving up your soul.

Giving a PPIT to everyone is surely stupid, not recommendable, but is unlikely
to give you half as much *real* problems as a publicly known e-mail addresses
or telephone numbers!

But lets get back to the technical track otherwise we must change mailing-list!

Anders