Re: A different architecture? (was Re: certificate path services [ was RE: NEW Data type for certificate selection ? ])

[Lynn.Wheeler@xxxxxxxxxxxxx]

Many of the infrastructures involving authorization ... include many
factors in addition to strong authentication, some real-time and some not.
Accont-based infrastructures have been a part of business infrastructures
for some time to bind together the necessary information necessary to
support authorization. The accont authority digital signature model
attempts to integrate public key registration and digital signature
authentication into the core business process ... as opposed to working on
ways of figuring out what pieces might be exportable to a certificate, then
realizing that there are real-time requirements ... which means real-time
contact of the CA which is maintaining various critical information.

As the number of attributes are exported into certificates increases ...
and the real-time status of those attributes are required to be maintained
at the CA for authorization ... a CA would eventually begin to migrate to
becoming an accont authority. The current main distinction of a CA is that
it is maybe 20-30% handling cryptography for certificates and 70-80%
account management. As number of attributes and real-time status
requirements increase ... the role of cryptography in the CA becomes
smaller and smaller ... and the account management starts to grow to 95+%.

>From the financial infrastructure standpoint ... once past toy pilot stage,
it is much more cost effective to start with the most robust
account-management infrastructure in existance today and retrofit the 1-2%
cryptography necessary to support digital signature authentication ... than
it is to try and upgrade CAs into business-critical, industrial strength
account management support.