RE: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio

[Andrew Probert <AndrewP@xxxxxxxxxxxx>]

I personally don't have a problem with private keys and certs being used in
digital phones, the keyboard being used for PIN entry, and some smart
applications for interaction, say with IVR servers and the newly released
Wireless Application Protocol to web servers.  [Insert new YASP (yet another
security protocol) here?]

All of this is technically viable, and desirable.  

No bio cert required.  The PIN to unlock the feature surely would be
sufficient for authentication.

Andew Probert
Rotek Consulting   http://www.rotek.com.au
a Division of Secure Network Solutions
Tel  +61 3 9690 8877
Fax +61 3 9690 8171



> -----Original Message-----
> From:	Anders Rundgren [SMTP:anders.rundgren@jaybis.com]
> Sent:	Wednesday, April 07, 1999 9:46 AM
> To:	Stephen Kent
> Cc:	ietf-pkix@imc.org; 'SEIS-List'
> Subject:	Re: A $25,000,000,000 PKI   Was:Spec. on QC-low-fat &
> QC-heavy-bio
> 
> Steve,
> 
> >>Of course, they are built on the fundamental principle that the
> >>client always has the "final" cert and key.  CyberPhone is not.
> >
> >Yes, this is the assumption, and it is a widely held one.  To change it a
> >lot of folks will need to be convinced otherwise.  You have a lot of work
> >ahead :-)!
> 
> 
> I know.  But its fun as well.
> 
> <snip>
> 
> >> Did you actually read the dynamic certs paper?
> 
> >Yes, and I don't buy all of it's premises.  The companies are the ones on
> >the hook, as you say, but they also need individual accountability, hence
> >the need for individual certs.
> 
> You got that in the CyberID.  Accountability is internal affaires is'nt
> it?
> 
> > Nobody has a lot of experience with large
> >scale deployment of PKIs in these contexts, so a statement about the
> >relative difficulties of deployment of certs to end users vs. the
> approach
> >you propose is premature. Insecure servers are a growing problem for
> >businesses, so I also challange your second assertion.
> 
> SET is an example of a large-scale PKI deployment that has _almost_
> flopped due to some of the factors that CyberPhone solves. Like:
> 
> Certificate distribution
> Thin client sw
> Mobile universal usage
> 
> <large snip>
> >Finally, your proposal is clearly focused on one particular deployment
> >model, which may or may not be realized.  There are others, based on more
> >computationally capable, mobile, personal devices, e.g., PDAs.
> 
> Computationally capable devices do not solve
> client certificate or client software distribution.
> 
> The market for mobile phones is so much bigger than for other
> devices (PDAs, PCs) etc. so IF this solution gets wide acceptance on
> the mobile phone market - most other client PKI solutions MAY just die.
> I.e. why pay additional money for certs, readers, software if your
> employees already have a high-quality solution in their hands?
> 
> BTW, why do you think MSFT is so interested in the mobile phone market?
> Because it is there the future of IT is happening!
> 
> > As I said
> >before, you should pursue any implementation approach you think is
> >fruitful, but don't ask this standards body to tailor parts of its work
> to
> >facilitate your (decidely nont mainstream) approach to using certs.
> 
> It COULD  become mainstream...
> 
> Now we both know pretty well where we stand in this case so
> could please somebody else comment on this? 
> 
> Anders
>