[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificates, Directories, and Distinguished Names

To: Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>, "''Stephen Kent' '" <kent@xxxxxxx>
Subject: RE: Certificates, Directories, and Distinguished Names
From: Tony Bartoletti <azb@xxxxxxxx>
Date: Wed, 07 Apr 1999 17:38:20 -0700
Cc: "'''ietf-pkix@xxxxxxx ' ' '" <ietf-pkix@xxxxxxx>, "'''list@xxxxxxxxxxxxxxxxx ' ' '" <list@xxxxxxxxxxxxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Alan,

I try here to accomodate viewpoints that are often at odds,
judging from the long life these threads exhibit.

I make an analogy between some folks reluctance to "bank",
and those who are similarly ill-at-ease allowing what might
be considered privacy info to be accessible via directories.

Granted, I might be foolish to think my money is safer under
my pillow (in general) than as bits on a magnetic disk far
far away.  I am more likely to be robbed at home than to
have my account drained by a nefarious bank-insider.

Yet some still insist on having their "gold" in their own
hands, where they can see it and control it, directly and
absolutely.

I see this sentiment "below the surface" when discussions of
global directories with searchable hierarchical Names are on
the table.  It suggests a lack of control on the part of the
data-owner, and no amount of "we can make it real real secure
with lots of money" will assuage the unease.

Alot of folks, like the "bank-non-trustors" are less worried
about abuses perpetrated by their neighbors, or even by the
individual stranger, than they are by the power of the state.

The (US) second amendment, once a form of balance to that
power, is clearly impotent by orders of magnitude.  Yet the
people have one card that almost no amount of power can
abuse, and that is cryptography, and by allowance unforgeable
identity.  They can jail or torture me, but it is in my power
to relinquish the key or not.

These concerns seem laughable in the face of the main PKI
motivations dealt with here, being high-volume internet commerce.
And yet I am sure there are many who see the promise of security
(in privacy and identity) in public key technology, and hope to
see it serve their ends in this way.

This is not to disparage the notion that directories will
be deployed and critical in a great many venues.  If my "private"
information were not lying around on the disks of credit agencies,
I would have a hard time using all the plastic in my wallet.

I simply share the feelings of many, I suspect, that commercial
concerns about how to best use keys and certs will overshadow
those uses where there are not quick-bucks to be made, and
that protocols tailored to the commercial uses will force
others into obscurity.

Regards,

___tony___

At 07:57 AM 4/8/99 +1000, Alan Lloyd wrote:
> 
>Tony - not sure if I understand the thread or the last para.
>
>And dont get me wrong either re the value of PKIs. Having worked with
>directories for about 12 years and PKIs for 5 or so, for real
>operational business environments I appreciate the standards process,
>the profiling process and the need to deal with operational models which
>today must include a distributed and consistent information management
>capability.
>
>My line of comments try to address a major concern of the PKIX process
>is: that design anchors such as email addresses in certs, databases
>instead of distributed directory systems, inflexibility in PKI profiles
>because of theory, no recognition that business application (eg mobile
>phones, car tagging, banking, etc) needs to be dealt with in terms of
>its PKI approach differently and and the need to keep adding things in
>certs that are dynamic in the real world - makes the discussion critical
>to say the least. 
>
>As said PKIX is trying to profile X.509.. I have been involved with the
>directory X.500 ISPs for a few years - and that effort was reduced to
>zero almost because the technology and products surfaced into the market
>place and started dealing with real businesses - and that trying to
>mandate/option protocol and information fields in tables in standards
>for all circumstances in global business is impossible.
>
>In addition trying to shoe horn one PKI/CA - key management profile/
>cert processing design for all aspects of trusted transactions - which
>just happen to run over the internet, will also prove to be an
>impossible task.
>
>In addition - who will own the root level key for all this PKIX
>compliant stuff?
>
>As said PKIs will be built like directory services - for business
>domains  and vertfical markets that provide EC services under the
>control of those who want to invest in such (PKI supported) services.
>
>regards alan
>
> 
>----------
>From: Tony Bartoletti
>To: Alan Lloyd; 'Stephen Kent'
>Cc: ''ietf-pkix@imc.org ' '; ''list@seis.nc-forum.com ' '
>Sent: 4/8/99 3:26:06 AM
>Subject: RE: Certificates, Directories, and Distinguished Names
>
>Just a General Observation:
>
>The "pack-it-in-the-cert"/"pack-it-in-a-directory" debate seems to
>parallel, in some ways, the recent thread on Anders' "CyberPhone"
>approach to outsourcing one's private-key handling.
>
>And "convenience," indeed, can only be ignored at one's peril (in
>a business model, at least:)
>
>Over all of this, I cannot help but be reminded of those who lived
>through the Great Depression, and to this day feel uncomfortable
>placing their money in banks.  They will insist upon dealing in
>"cash", the kind they can stuff under their mattress, or bury in
>a steel box in the backyard.  Foolish at it may seem to most, they
>insist upon being the final arbiters of their security/destiny,
>however ill-equipped to the task they may be.
>
>No amount of argument that, statistically, their money would be
>safer in a bank, or as bits-on-a-disk, will dissuade them.
>(And who knows, in the long run, if they will be wrong or right?)
>
>Must we promote a world so hostile to these individualists (they
>are many, if not majority) that they become shut-out of the future
>benefits that PKIs may afford?
>
>Is this concern not a silent undercurrent to many of these debates?
>
>___tony___
>
>
>
>Tony Bartoletti                                             LL
>Center for Information Operations and Assurance          LL LL
>Lawrence Livermore National Laboratory                LL LL LL
>PO Box 808, L - 303                                   LL LL LL
>Livermore, CA 94551-9900                              LL LL LLLLLLLL
>phone: 925-422-3881   fax: 925-423-8002               LL LLLLLLLL
>email: azb@llnl.gov                                   LLLLLLLL
>
>
>

Tony Bartoletti                                             LL
Center for Information Operations and Assurance          LL LL
Lawrence Livermore National Laboratory                LL LL LL
PO Box 808, L - 303                                   LL LL LL
Livermore, CA 94551-9900                              LL LL LLLLLLLL
phone: 925-422-3881   fax: 925-423-8002               LL LLLLLLLL
email: azb@llnl.gov                                   LLLLLLLL

References:
- RE: Certificates, Directories, and Distinguished Names
  - From: Alan Lloyd

Prev by Date: RE: CA vs. EE cert processing
Next by Date: RE: Certificates, Directories, and Distinguished Names
Previous by thread: RE: Certificates, Directories, and Distinguished Names
Next by thread: RE: Certificates, Directories, and Distinguished Names
Index(es):
- Date
- Thread