[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: My comments on the X/Open PKI requirements document

Carl Ellison wrote:
>At 08:42 AM 4/5/96 -0500, Rodney Thayer wrote:
>>fine.  you want another comment?  I think it's insane we have at least five
>>standards organizations or groups looking at vaguely the same problem.
>>(spki, pkix, x.509, aba, x/open.)
>What's even stranger to me is that most of these are falling back on the old
>X.509 path.  If that were the answer, there would be no reason to have so
>much discussion.  The flurry of discussion reinforces my belief that that
>emperor has no clothes.

At least on SPKI, I think we have realized that there are two, almost
totally unrelated problems being addresses.  These are the problems of
establishing trust and establishing a "true name".  For many applications
(e.g. distributed capability systems), you don't need "true names", but you
do need to be able to establish that the caller indeed possess the
capability being invoked (A form of trust).  (The interesting item here is
that you don't absolutely need certificates for distributed capabilities.)

On the other hand, if you are trying to make traditional contracts, you
need to know where to send the process server should the other party
default, so you need a "true name".

Many of us are reluctant to trust a strictly hierarchal system of "true
names" for certain applications because of the long history of governments
(the most likely top dog party in such a system) issuing false
identification for their own purposes.

I am posting only to SPKI since I am strongly reluctant to post to groups I
don't subscribe to.  Please feel free to re-post this message if you think
it applicable to other groups.

Regards - Bill

Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
(408)356-8506     | lost jobs and  | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA