Adam Back wrote:
On top of that DNSSEC presumes a PKI, which as we've seen over the
last 5 years is a hard thing to deploy in and of itself.
Also untrue.
This is a political debate for another list. Hardly "untrue", at the
very least it's a debatable point, stock prices and recent histories
of PKI bankruptcies could be read to indicate PKI has it's own
technical and economic infrastructure deployment problems.
Heh. PKI (at least how it's embodied in current tools etc) is
tremendously complicated, somewhat non-interoperable amongst vendors
(though that's finally improving), and it's very difficult to deploy/use
client PKI in the large-scale even with relatively uniform
installed-base software on the user-end. We have the bloody fingers to
prove it.
PKI is coming, but it's not mature enough yet. Security Dynamics,
Versign's parent (or grandparent or something, I've lost track), has
advertising videos where some of their other customers are saying the
same thing. Dow Chemical IT said in 1999 or 2000 "We'll start getting
serious about client PKI in 2004". I think they were a trifle too
optimistic.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg