On Tue, 11 Mar 2003 02:05:45 -0500, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu
wrote:
2) a Verisign/X.509 model where somebody runs a central set of servers.
Nobody is going to do one of these that scales to Internet size for free
either (hint - what percent of domains have their own CA that can sign
certs for their users?)
[thinking aloud]
Hmm - If we followed a hierachical (heterachic would probably be better)
model of CA's then someone would run a secure central responsitory for
certifying CA's who would then certify the rest of the world.
The technology is not expensive or complex - and apart from security issues
(which are not too be sneezed at) the technical resource implications are
very similar to running an mid range ISP news or web server pool.
If we could find some sucker^Wkind-person who would host the initial
central CA for free and we could then find say a few dozen companies
who would offer free public CA's we could have an infrastructure in place
with little or no cost to the public.
Seriously...
Yes, the internet is very commercial these days however it should be
remembered that what we are talking about is a way to save ISP's
significant sums of money by being able to more effectively block spam/UCE
in some manner. The projected savings should be enough to convince many
of the larger ISPs that a small investment in becoming a public CA
will result in savings beyond the original cost. After all if what we
propose does not save more than it costs why are we doing it anyway?
- at least thats the view many businesses will have to take...
In the same way that ISps block external access to news servers we will
have a number of ISps that ill want to offer CA services to thier own
customer base only. How we avoid this happening is a question I have no
answer to...
Demon internet tried the large private new pool + small slow public news
pool and this model failed for some reason - the public pool was withdrawn
after a few years with no stated reasons etc.
I suppose contracts could force CAs to remain public however we all know
force does not work... :-)
My last coment is that no matter what solution or technology is selected
we should aim for incremental implementation - "big bang" solutions
almost always fail (IMHO).
Anyway back to lurking ;-)
Jacqui
Jacqui Caren, Ingram Group Ltd. jacqui(_at_)ig(_dot_)co(_dot_)uk
ph: +44 (0) 1483 8628xx main=00 fax=01 ddi=65
http://www.ig.co.uk/ http://www.sitedirector.org/
http://www.perl.co.uk/
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg