Paul Hoffman / IMC wrote:
At 4:29 PM -0500 12/14/03, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
On Sun, 14 Dec 2003 12:09:37 PST, Paul Hoffman / IMC said:
All of that is describable, and many vendors have such products.
There are no standards (or none that are significantly followed) for
such assertions. So? Many different PKIs can handle such assertions,
once you codify them.
I'm having a very hard time as reading this as anything except "Sure, the
PKI's out there could do it, if we only understood it well enough to come
up with a consistent way that would work for everybody. And since the
PKI
could deal with it if we knew what we wanted it to deal with, it's not a
problem for actual production use of a PKI now".
Try harder then. Maybe try "The PKI works fine for this, as does the
signed messages, and we understand what we want, but we can't figure
out how to trust the other humans in the process." You can't find "a
consistent way that would would for everybody" if they can't define
why and how they trust each other.
There are literally billions of dollars that can be saved if someone
can figure out how to get the human trust part to work. Given that
the technical end of the PKI world has not changed much in the past
five years, it's pretty clear that if someone is leaving billions of
dollars on the table, the problem is pretty difficult and not prone
to a technical fix.
This has nearly nothing to do with the technical part of the PKI, and
everything to do with the humans.
Hence my original comment that the politicians need to broker the trust
relationships. There will clearly be multiple technical relationships, with
very different characteristics, just as there are for inter-personal trust
relationships outside the technical space. The fundamental point is that the
IETF is not capable of (nor in any position to) further the deployment of
PKI's until the non-technical aspects get resolved. On a global scale that
role has traditionally belonged to the ITU, so that would be a good place to
go as the next step. There are undoubtedly other organizations that need to
be involved on smaller scales, but this is a case where a top-down
consistent framework will probably make the technical job easier down the
road. Any way you want to define it, this is an aspect of Internet
governance, and it clearly doesn't belong to either ICANN or the IETF.
Tony