ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PKIs and trust

2003-12-15 14:23:38
from [Al Arsenault] [Permanent Link] 
Comments in-line, prefaced by my initials "AWA".

                Al Arsenault



-----Original Message-----
From: Masataka Ohta 
[mailto:mohta(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp]
Sent: Monday, December 15, 2003 2:15 PM
To: Al Arsenault
Cc: Franck Martin; Paul Hoffman / IMC; Keith Moore; ietf(_at_)ietf(_dot_)org
Subject: Re: PKIs and trust


Al Arsenault;


Having worked in the "PKI" field for a loooonnnnggg time now,


Where can I find an authoritative reference on what "PKI", by
your definition, means?



AWA:  See, for example
http://www.ietf.org/internet-drafts/draft-ietf-pkix-roadmap-09.txt


From Section 1.2:


        Public Key Infrastructure (PKI) - The set of hardware, software,
       people, policies and procedures needed to create, manage, store,
       distribute, and revoke PKCs based on public-key cryptography.

Note that there's nothing in there about USING the keys/certificates to
accomplish any particular (business or other) task.  In other words, the
applications are external to the PKI.

Section 2 of that draft has some more details.



    - unfortunately, many people when hearing the phrase "public key
infrastructure" thinks that that is what is meant/required,

even though most

of us working in the field know that it's not required.


That's a fair statement, if you can clarify what, then, are required.


(From personal experience, my belief is that the single biggest

failure of

PKI is the over-hyping and under-delivering of the technology.

People were

led to believe that once they had a PKI, their problems were

solved.  That's

not the case. I used to hate working with people who had bought

a PKI from

somebody, not understanding that all they really needed then were the
applications that let used the PKI/certificate stuff to do

business they way

they wanted to do it.  The only thing worse was when I worked for a PKI
company, and had to work with a customer to whom our

sales-critters had just

made a sale.  To start a conversation with "Joe didn't tell you

you still

need..." wasn't fun.)


It seems to me that you think PKI not only exists but also
can be purchased.


AWA:  Hmm - my terminology in my original posting was a bit suboptimal.
*Part* of the PKI can be purchased - namely, the hardware and software.  The
"people, policies, and procedures" bits get tricky - you generally cannot
buy them. (You can often buy "generic" policies and procedures manuals that
have to be tailored to your specific environment/rules, but you can't buy a
canned solution.) Those are also the parts over which many folk who have
tried to implement PKI have stumbled. In the original message, I should have
said "PKI hardware/software" or similar terms, rather than "a PKI".  Mea
culpa.

And, of course, the actual applications/business processes still have to be
provided from somewhere else.



So, where can I find your definition of "PKI"?

URLs please.

                                                      Masataka Ohta
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PKIs and trust, Masataka Ohta
Next by Date:  Re: PKIs and trust, Masataka Ohta
Previous by Thread:  Re: PKIs and trust, Masataka Ohta
Next by Thread:  Re: PKIs and trust, Masataka Ohta
Indexes:  [Date] [Thread] [Top] [All Lists]