Comments in-line, prefaced by my initials "AWA".
Al Arsenault
-----Original Message-----
From: Masataka Ohta
[mailto:mohta(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp]
Sent: Monday, December 15, 2003 2:15 PM
To: Al Arsenault
Cc: Franck Martin; Paul Hoffman / IMC; Keith Moore; ietf(_at_)ietf(_dot_)org
Subject: Re: PKIs and trust
Al Arsenault;
Having worked in the "PKI" field for a loooonnnnggg time now,
Where can I find an authoritative reference on what "PKI", by
your definition, means?
AWA: See, for example
http://www.ietf.org/internet-drafts/draft-ietf-pkix-roadmap-09.txt
From Section 1.2:
Public Key Infrastructure (PKI) - The set of hardware, software,
people, policies and procedures needed to create, manage, store,
distribute, and revoke PKCs based on public-key cryptography.
Note that there's nothing in there about USING the keys/certificates to
accomplish any particular (business or other) task. In other words, the
applications are external to the PKI.
Section 2 of that draft has some more details.
- unfortunately, many people when hearing the phrase "public key
infrastructure" thinks that that is what is meant/required,
even though most
of us working in the field know that it's not required.
That's a fair statement, if you can clarify what, then, are required.
(From personal experience, my belief is that the single biggest
failure of
PKI is the over-hyping and under-delivering of the technology.
People were
led to believe that once they had a PKI, their problems were
solved. That's
not the case. I used to hate working with people who had bought
a PKI from
somebody, not understanding that all they really needed then were the
applications that let used the PKI/certificate stuff to do
business they way
they wanted to do it. The only thing worse was when I worked for a PKI
company, and had to work with a customer to whom our
sales-critters had just
made a sale. To start a conversation with "Joe didn't tell you
you still
need..." wasn't fun.)
It seems to me that you think PKI not only exists but also
can be purchased.
AWA: Hmm - my terminology in my original posting was a bit suboptimal.
*Part* of the PKI can be purchased - namely, the hardware and software. The
"people, policies, and procedures" bits get tricky - you generally cannot
buy them. (You can often buy "generic" policies and procedures manuals that
have to be tailored to your specific environment/rules, but you can't buy a
canned solution.) Those are also the parts over which many folk who have
tried to implement PKI have stumbled. In the original message, I should have
said "PKI hardware/software" or similar terms, rather than "a PKI". Mea
culpa.
And, of course, the actual applications/business processes still have to be
provided from somewhere else.
So, where can I find your definition of "PKI"?
URLs please.
Masataka Ohta