Bill rote:
X.509 is NOT a hierarchical PKI.
It's a syntax for one key certifying another key.
Exactly (and the rest of the posing is worth reading also). If you look back
to my original post, you will see I was referring to *operational* systems,
not vapourware.
PGP is essentially a stand-alone product with its own hierarchy and the
products are available. It is not an end-state but most of the pieces
are there.
Algoritms are trivial to change. Certificate generation/acceptance is also
easy to incorporate once agreed upon. The only problem arises if a required
element must be licensed and in that case nobody wins.
The infrastructure to change from an essentially personal product to one that
is both global and ubiquitous is the hard part. I estimate it will take
two years - pressures are there, needs are there, is mostly a matter of doing
it.
Since S/MIME is now public, I expect that it will be come the ICD of choice.
ASCII-Armour had its place as did UUEncode but will need to settle for a
nitch in the future, a BASE-64 future.
What we need now are standards. X.500 is one and by extension X.509 but just
as LDAP is producing a modified X.500, so is X.509 going to be modified. Not
a big thing.
Biggest question in my mind today is whether we will have single certificates
with extensible attributes and multiple signatures or just multiple attached
certificates. Suspect will be the latter but cannot tell yet.
In the mean time we are going to have to deal with a transition period of
maintaining connectivity with less-than-universal certificate use (the two
years I mentioned) and multiple platforms. Thusfar PGP seems to be filling
that need but the question remains whether it will be able to transition.
Today, security is an add-on/add-in. Tomorrow it will be pervasive. How to
get from A to B is what we are dealing with now.
Warmly,
Padgett