RE: Certificates, Directories, and Distinguished Names

[Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>]

Tony - not sure if I understand the thread or the last para.

And dont get me wrong either re the value of PKIs. Having worked with
directories for about 12 years and PKIs for 5 or so, for real
operational business environments I appreciate the standards process,
the profiling process and the need to deal with operational models which
today must include a distributed and consistent information management
capability.

My line of comments try to address a major concern of the PKIX process
is: that design anchors such as email addresses in certs, databases
instead of distributed directory systems, inflexibility in PKI profiles
because of theory, no recognition that business application (eg mobile
phones, car tagging, banking, etc) needs to be dealt with in terms of
its PKI approach differently and and the need to keep adding things in
certs that are dynamic in the real world - makes the discussion critical
to say the least. 

As said PKIX is trying to profile X.509.. I have been involved with the
directory X.500 ISPs for a few years - and that effort was reduced to
zero almost because the technology and products surfaced into the market
place and started dealing with real businesses - and that trying to
mandate/option protocol and information fields in tables in standards
for all circumstances in global business is impossible.

In addition trying to shoe horn one PKI/CA - key management profile/
cert processing design for all aspects of trusted transactions - which
just happen to run over the internet, will also prove to be an
impossible task.

In addition - who will own the root level key for all this PKIX
compliant stuff?

As said PKIs will be built like directory services - for business
domains  and vertfical markets that provide EC services under the
control of those who want to invest in such (PKI supported) services.

regards alan

 
----------
From: Tony Bartoletti
To: Alan Lloyd; 'Stephen Kent'
Cc: ''ietf-pkix@imc.org ' '; ''list@seis.nc-forum.com ' '
Sent: 4/8/99 3:26:06 AM
Subject: RE: Certificates, Directories, and Distinguished Names

Just a General Observation:

The "pack-it-in-the-cert"/"pack-it-in-a-directory" debate seems to
parallel, in some ways, the recent thread on Anders' "CyberPhone"
approach to outsourcing one's private-key handling.

And "convenience," indeed, can only be ignored at one's peril (in
a business model, at least:)

Over all of this, I cannot help but be reminded of those who lived
through the Great Depression, and to this day feel uncomfortable
placing their money in banks.  They will insist upon dealing in
"cash", the kind they can stuff under their mattress, or bury in
a steel box in the backyard.  Foolish at it may seem to most, they
insist upon being the final arbiters of their security/destiny,
however ill-equipped to the task they may be.

No amount of argument that, statistically, their money would be
safer in a bank, or as bits-on-a-disk, will dissuade them.
(And who knows, in the long run, if they will be wrong or right?)

Must we promote a world so hostile to these individualists (they
are many, if not majority) that they become shut-out of the future
benefits that PKIs may afford?

Is this concern not a silent undercurrent to many of these debates?

___tony___



Tony Bartoletti                                             LL
Center for Information Operations and Assurance          LL LL
Lawrence Livermore National Laboratory                LL LL LL
PO Box 808, L - 303                                   LL LL LL
Livermore, CA 94551-9900                              LL LL LLLLLLLL
phone: 925-422-3881   fax: 925-423-8002               LL LLLLLLLL
email: azb@llnl.gov                                   LLLLLLLL