I agree. With my mortgage customers (MISMO.org related) I have
argued that private certs signed by their business partner is better than a
cert issued by a well known cert company. Anyone can buy a cert from
the well known company. A cert signed by your business partner
can not be bought from any vendor. And if managed correctly
they can add/delete employees and application certs real time.
However, PKI does not help e-commerce or financial transactions,
as discussed in my recent paper: "Meaninglessness of Public
Key Cryptography for Authentication on Consumable Credential"
(presented in Japan in Japanese):
Abstract: For electric transactions, the essential benefit
of public key cryptography over shared key cryptography is
that it is not necessary to communicate with Certificate
Authority on each transaction. However, it is meaningless
to use public key cryptography for authentication on
consumable credentials, such as authentication of remaining
credential in account for electric payment, as fraud with
tremendous damage is easily performed, unless communication
with authorities to manage the account decrease remaining
credential is required on each transaction.
The problem of PKI without realtime management of remaining
credential is that an attacker can use 1K USD worth of certs
from 1000 different locations for 1000 seconds 1000 times a
second, total amount of damage of which is 1T USD.
Credential can be created only with direct communication.
Doug Royer | http://INET-Consulting.com
Doug(_at_)Royer(_dot_)com | Office: (208)520-4044
http://Royer.com/People/Doug | Fax: (866)594-8574
| Cell: (208)520-4044
We Do Standards - You Need Standards
Description: S/MIME Cryptographic Signature