If we are considering changing the certificate mechanisms, I'd like to
open the question of whether X.509 certificates should even be used in
future key-certification systems.
It's clear that the X.400/X.500 architecture for electronic mail has
only a niche future. There is no inherent reason to use it on the
Internet except that "it was there when we needed certificates". But
its addressing mechanisms are cumbersome for use on the Internet, and
integrate very poorly with current and proposed Internet standards for
electronic mail, communications security, and commerce. Some of the
delay in creation and deployment of badly needed cryptographic
standards such as secure DNS and PEM was caused by trying to integrate
these unwieldy addresses (because of the lack of a developed
alternative more suitable to use on the Internet).
Basically, X.509 certificates, as currently understood and deployed,
require a complete dictionary-based one-to-one mapping between
Internet protocol elements (such a email addresses or host addresses)
and X.500 addresses. This lack of integration makes their use
cumbersome -- not only in the development of applications and
infrastructure, but all the way into the daily interface of end-users.
It requires that end-users maintain trusted directories in order to do
the simplest operation, such as determining whether an email message
is from the person it purports to be from.
There are clearly lessons we can take from the X.509 experience, but I
believe that we should learn those lessons and use the experience to
design a mechanism that works well on the Internet. Now, when we are
considering a revision of the technical certificate structure, and
before widespread deployment of ANY digital signature system, is the
time to do it right. Failure to seize this opportunity will result in
key certification remaining needlessly complex and error-prone
throughout the remaining lifetime of the Internet.
--
John Gilmore gnu(_at_)toad(_dot_)com --
gnu(_at_)eff(_dot_)org