[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Certificates, Directories, and Distinguished Names
Tony, thanks for that. May I address something that has always concerned
me about the view presented of directories.
snips from the text.
> I make an analogy between some folks reluctance to "bank",
> and those who are similarly ill-at-ease allowing what might
> be considered privacy info to be accessible via directories.
snip
> I see this sentiment "below the surface" when discussions of
> global directories with searchable hierarchical Names are on
> the table. It suggests a lack of control on the part of the
> data-owner, and no amount of "we can make it real real secure
> with lots of money" will assuage the unease.
>
If I said use a "database" for the PKI and personal info - which
has been used all over the planet for the last 25 years - people are
comfortable with that. If I said directory systems - there is an
assumption that the whole planet can read the info regardless.
Directories - are really a shift in information engineering that
removes the distributed limitations of RDBs and in addition provides a
coherent OO schema approach, a coherent authentication and ACI regime,
use of common protocols for access, distribution and replication nad
many other new properties for engineering distributed systems.
Directories are nothing more than a major advancement in information
storage and information protection technology and provide many common
things that one would have to bespokely engineer with Data base
approaches.
Why there is this view that X.500 is big,slow, is the worlds one
and only directory (which will never be deployed) and cannot be used for
private data instead of an RDB - astounds me - simply because all that
is so so wrong. All directories are is an evolution in information
engineering for storage and access which should be used to one advantage
and privately if desired - after all that is what technology
improvements are about.
I would like to think that those proposing a PKI for the
internet or internet related services see the limitations of trying to
put all ones data in an RDB and try telling a customer - all you need is
this certificate server - in which you have to name things the same way
or a different way to the other 26 databases they have with named items
in.
The issue of deploying secure information services - in most
cases requires that a major clean up of the 10s of databases and address
books one has with many name forms - first -- real world approaches to
this is directory services (which can be private).
hope this helps
thanks and regards alan
> These concerns seem laughable in the face of the main PKI
> motivations dealt with here, being high-volume internet commerce.
> And yet I am sure there are many who see the promise of security
> (in privacy and identity) in public key technology, and hope to
> see it serve their ends in this way.
>
> This is not to disparage the notion that directories will
> be deployed and critical in a great many venues. If my "private"
> information were not lying around on the disks of credit agencies,
> I would have a hard time using all the plastic in my wallet.
>
> I simply share the feelings of many, I suspect, that commercial
> concerns about how to best use keys and certs will overshadow
> those uses where there are not quick-bucks to be made, and
> that protocols tailored to the commercial uses will force
> others into obscurity.
>
> Regards,
>
> ___tony___
>
>
> At 07:57 AM 4/8/99 +1000, Alan Lloyd wrote:
> >
> >Tony - not sure if I understand the thread or the last para.
> >
> >And dont get me wrong either re the value of PKIs. Having worked with
> >directories for about 12 years and PKIs for 5 or so, for real
> >operational business environments I appreciate the standards process,
> >the profiling process and the need to deal with operational models
> which
> >today must include a distributed and consistent information
> management
> >capability.
> >
> >My line of comments try to address a major concern of the PKIX
> process
> >is: that design anchors such as email addresses in certs, databases
> >instead of distributed directory systems, inflexibility in PKI
> profiles
> >because of theory, no recognition that business application (eg
> mobile
> >phones, car tagging, banking, etc) needs to be dealt with in terms of
> >its PKI approach differently and and the need to keep adding things
> in
> >certs that are dynamic in the real world - makes the discussion
> critical
> >to say the least.
> >
> >As said PKIX is trying to profile X.509.. I have been involved with
> the
> >directory X.500 ISPs for a few years - and that effort was reduced to
> >zero almost because the technology and products surfaced into the
> market
> >place and started dealing with real businesses - and that trying to
> >mandate/option protocol and information fields in tables in standards
> >for all circumstances in global business is impossible.
> >
> >In addition trying to shoe horn one PKI/CA - key management profile/
> >cert processing design for all aspects of trusted transactions -
> which
> >just happen to run over the internet, will also prove to be an
> >impossible task.
> >
> >In addition - who will own the root level key for all this PKIX
> >compliant stuff?
> >
> >As said PKIs will be built like directory services - for business
> >domains and vertfical markets that provide EC services under the
> >control of those who want to invest in such (PKI supported) services.
> >
> >regards alan
> >
> >
> >----------
> >From: Tony Bartoletti
> >To: Alan Lloyd; 'Stephen Kent'
> >Cc: ''ietf-pkix@imc.org ' '; ''list@seis.nc-forum.com ' '
> >Sent: 4/8/99 3:26:06 AM
> >Subject: RE: Certificates, Directories, and Distinguished Names
> >
> >Just a General Observation:
> >
> >The "pack-it-in-the-cert"/"pack-it-in-a-directory" debate seems to
> >parallel, in some ways, the recent thread on Anders' "CyberPhone"
> >approach to outsourcing one's private-key handling.
> >
> >And "convenience," indeed, can only be ignored at one's peril (in
> >a business model, at least:)
> >
> >Over all of this, I cannot help but be reminded of those who lived
> >through the Great Depression, and to this day feel uncomfortable
> >placing their money in banks. They will insist upon dealing in
> >"cash", the kind they can stuff under their mattress, or bury in
> >a steel box in the backyard. Foolish at it may seem to most, they
> >insist upon being the final arbiters of their security/destiny,
> >however ill-equipped to the task they may be.
> >
> >No amount of argument that, statistically, their money would be
> >safer in a bank, or as bits-on-a-disk, will dissuade them.
> >(And who knows, in the long run, if they will be wrong or right?)
> >
> >Must we promote a world so hostile to these individualists (they
> >are many, if not majority) that they become shut-out of the future
> >benefits that PKIs may afford?
> >
> >Is this concern not a silent undercurrent to many of these debates?
> >
> >___tony___
> >
> >
> >
> >Tony Bartoletti LL
> >Center for Information Operations and Assurance LL LL
> >Lawrence Livermore National Laboratory LL LL LL
> >PO Box 808, L - 303 LL LL LL
> >Livermore, CA 94551-9900 LL LL LLLLLLLL
> >phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL
> >email: azb@llnl.gov LLLLLLLL
> >
> >
> >
>
> Tony Bartoletti LL
> Center for Information Operations and Assurance LL LL
> Lawrence Livermore National Laboratory LL LL LL
> PO Box 808, L - 303 LL LL LL
> Livermore, CA 94551-9900 LL LL LLLLLLLL
> phone: 925-422-3881 fax: 925-423-8002 LL LLLLLLLL
> email: azb@llnl.gov LLLLLLLL