[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Card Not Present, was Re: FW: comments



Comments follow 

----------
From: Tony Bartoletti
To: Alan Lloyd; 'EKR '; 'Ed Gerck '
Cc: 'spki '
Sent: 7/29/98 4:26:00 AM
Subject: RE: Card Not Present, was Re: FW: comments

At 02:24 AM 7/29/98 +1000, Alan Lloyd wrote:
>
>I would still like to say to the chairs of this group, that the spki
>document produced  presents WRONG statements and its title is
MISLEADING
>- but if they are happy with it.. thats the world they live in.
>
>regards alan

Alan,

Perhaps the document comes across a bit strong in declaring the
"failure"
of X.509 with respect to the early visions of global directories and the
percieved utility of unique names, et al.  Perhaps "problematic" would
have been less harsh...



What the real failure has been is the wholesale condemnation of X.500 as
seen as a set of "protocols" - a "communications"  perspective. This is
like condeming 747's because they have lots of wheels!
One should look at utility and service provision issues in distributed
information systems - not byte 3 bit 4 of the protocol header.

Directories are about object oriented , distributed name based
transaction systems on which mutual distributed authentication and
access control domains can be applied. Objects in the directory
represent real life entities - and X.509 certificates relate these
entities to digital key material in the context of a domain by an
issuer.
If you look at LDAP it is fundamentally broken in concept if only LDAP
servers are used.

ie with non X.500 LDAP servers, there is no distribution - no mutual
authentication between servers, no access control regimes, sloppy schema
management, no DIT managment model....and total inability to follow
certificate paths across a distributed system ie. and one HAS to
replicate everything to every where - and thats operationally
impossible.

 LDAP servers are unworkable for EC in the wider environment..And we
know this because we build X.500 with LDAP client and server integration
capabilities beyong that of most on this planet.

YET nobody writes that pile of deficiences into these documents.
No one says because of the Deficiences in LDAP - X.500 should be
adopted..Best to have a car door than the car eh! 

With LDAP the more you get the worse it is....What  the LDAP server
techology does not do - Humans have to- and you need lots of these..
So much for "simple", "lightweight", etc eh.
A wooden car with square wheels is simple and lightweight - but I buy a
Ford... ditto SPKIs




As far as the title being misleading, I don't feel that is really the
case.
Consider that the "Public" in any "PKI" properly refers to the use of
asymmetric keys, so-called "public-key" and "private-key" division.
While
this wonderful discovery/invention lends itself to the building of
global
key infrastructure, it need not be used globally to be called a "public-
key" infrastructure.


I disagree with some of the above - the word public is in the context of
a key system - this does not automatically implicate a global scale
deployment - a PKI is a function which is deployed, scaled and applied
according to business rules/markets and policy.

>From your earlier writing, I surmise you are a strong advocate of the
utility of a "Global Authentication Infrastructure".  This may be of
great value to many, and equally frightening to others.  But either
way it has no rights to exclusive use of the term "PKI".


See above... I am an advocate that this planet needs to deal with
digital signatures, single points of authentication and service logon,
the integration of voice and data systems and the fundamental need for
information management, authentication and security through the use of
distributed directory systems - that can be deployed locally, nationally
or globally (eg white pages)... I hate these garbage protocol debates
that focuss on bits on the wire and hexadecimal numbers when the real
issues are distributed information management systems and their
scaleability and coherence.

However, the best approach to X.500 directories is to keep deploying
them - as we do..
 over 20m entries and growing (very big entries) on 20+ DSAs with
automatic indexing on all things and 1000 searches a second on industry
strength RDB supported X.500 that has distributed mutual authentication
capability for its users cant be that bad..

 
regards alan