a certificate infrastructure [...] was
not proposed and adopted because of any hidden agenda but because
it provided necessary elements in support of the _services_ the
authors wished to provide.
If that certificate infastructure had in fact been provided, we wouldn't be
having this discussion. As soon as the PEM RFCs came out, I wanted to use
PEM. I couldn't, because the IPRA didn't exist, no other PCAs existed, no
software for generating or processing PEM messages existed, and no free
reference implementations were even *possible* at the time (this being before
the days of RSAREF).
I don't think it was a hidden agenda. I think it was idealism winning out
over pragmatism.
The fact that it is wrapped neatly doesn't make it more attractive
because it doesn't supply the services I believe are needed; it
only exposes the techniques.
A bird in the hand is worth two in the bush. PGP was deployed. PEM was not.
So far, this means that PGP wins. I'd like to see PEM win, but <expletive
deleted>, that cannot and will not happen until we settle on a baseline, build
it, deploy it, and provide the necessary services.
Please be sure to inform your customers who use self-signed
certificates and other substitutes for the PEM certificate hierarchy
that they are not enjoying non-repudiation or data-origin
authentication.
Certainly. But they've at least got something. At least the IPRA has a key
now, and exists to some extent, despite a complete lack of procedures or
information on how to get a PCA certified under it, a lack of certifcates for
pre-existing PCAs (as far as I know) and any method for personal/residential
users to obtain certificates.
PGP is worse than PEM. PGP is, however, better than nothing. I can no longer
afford to offer my customers nothing.
I should end this message now. I'm feeling the urge to quote Sun Tzu.
Amanda Walker
InterCon Systems Corporation
PGP Key fingerprint: 594F63C03B52DC4E37E9160DE733CD87
PEM MD5OfPublicKey: 8E4A21B7025943DE2EDC7CC038B3D6B1