At 4:29 PM -0500 12/14/03, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
On Sun, 14 Dec 2003 12:09:37 PST, Paul Hoffman / IMC said:
All of that is describable, and many vendors have such products.
There are no standards (or none that are significantly followed) for
such assertions. So? Many different PKIs can handle such assertions,
once you codify them.
I'm having a very hard time as reading this as anything except "Sure, the
PKI's out there could do it, if we only understood it well enough to come
up with a consistent way that would work for everybody. And since the PKI
could deal with it if we knew what we wanted it to deal with, it's not a
problem for actual production use of a PKI now".
Try harder then. Maybe try "The PKI works fine for this, as does the
signed messages, and we understand what we want, but we can't figure
out how to trust the other humans in the process." You can't find "a
consistent way that would would for everybody" if they can't define
why and how they trust each other.
There are literally billions of dollars that can be saved if someone
can figure out how to get the human trust part to work. Given that
the technical end of the PKI world has not changed much in the past
five years, it's pretty clear that if someone is leaving billions of
dollars on the table, the problem is pretty difficult and not prone
to a technical fix.
This has nearly nothing to do with the technical part of the PKI, and
everything to do with the humans.
--Paul Hoffman, Director
--Internet Mail Consortium