Firewall Wizards mailing list archives
RE: PKI is the pits?
From: "Eugene Kuznetsov" <eugene () datapower com>
Date: Thu, 21 Oct 2004 23:15:52 -0400
Correct; this is functionally the same thing as pre-exchanging secret keys - only the key is the cert and it's "authenticated" via a telephone call. This is still primitive cryptography, it's just using high-tech tools: kind of like using a CNC milling machine to implement a stone axe. In most of these cases, secret keys would work just as well, be easier to field, have less performance (network and compute) cost, and be much less complex.
I love the CNC -> stone axe bit! But I'm not quite ready to take as far as to say it's no better than symmetric schemes. Indeed, I'd argue that it's an example of "lightweight PKI" being quite valuable in real life. The reasons, in brief: 1. security advantage over shared secret, including the fact that a leaked cert cannot be used to impersonate the client 2. uses standards-based, very widely deployed SSL infrastructure 3. promotes use of good crypto (instead of non or rot-13) 4. has a path for pragmatic adoption of other PKI subsystems
meaning. Am I the only person who finds it silly that public key is largely used to set up temporary pipes over which passwords are exchanged? There is definite value to this, but "the cool stuff" is
Well, both SSL & WS-SecureConversation do this, after all, getting a bulk encryption key exchanged. I think the missing bit here is that for authentication & audit, the value of X.509 cert vs. username/password (perhaps with challenge-response) is unclear. The cool stuff is when you get to digitally signing documents, encrypting fields, and so on. And we've had no decent standards for that until recently... I argue that the two best thing for "cool PKi" (note small "i") in the 21st century are probably Adobe Acrobat and XML DSIG & ENC.
unfortunately, XKMS is not taking off as quickly as one might hopeThere has to be a reason why it isn't taking off quickly.
[..]
Do you have any sense of what might be going on there?
I think that a big reason are the market forces that you did such a great job of capturing in your note. There is not enough "push" behind XKMS, especially when compared to the (literally) 100's of millions of dollars being spent on promoting web services, WS-*, and SAML. Many of the PKI vendors have been devastated, and for those still in business, the investment in new technologies has slowed greatly. Plus, as you point out, they may be somewhat unsure of whether making PKI easier will be good for business! Meanwhile, new vendors (without a significant installed base) may have XKMS implementations, but do not have the customers. (The only real push has come from Verisign via Managed PKI services, but I think there are other -- non-XKMS -- barriers there). So insufficient "vendor push" is one. Another is that many of the existing systems work, all that HTTP-CRL, copy-cert-and-try-again stuff we talked about earlier. So customers are not necessarily looking to replace them with XKMS, at least not until there is another wave of PKI rollouts. Contrast also with SAML, which is in many ways more ambitious, but has both a lot of push and a lot of pull. -- Eugene \\ Eugene Kuznetsov, Chairman & CTO : eugene () datapower com \\ DataPower Technology, Inc. : Web Services security \\ http://www.datapower.com : XML-aware networks _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PKI is the pits? Christopher Hicks (Oct 14)
- Re: PKI is the pits? Bennett Todd (Oct 14)
- RE: PKI is the pits? Eugene Kuznetsov (Oct 17)
- RE: PKI is the pits? Marcus J. Ranum (Oct 17)
- PIX Books Shimon Silberschlag (Oct 22)
- Re: PIX Books Josh Welch (Oct 22)
- Re: PIX Books greg padden (Oct 22)
- Re: PIX Books Matthew Powell (Oct 25)
- RE: PIX Books sci-admin (Oct 30)
- RE: PKI is the pits? Eugene Kuznetsov (Oct 22)
- RE: PKI is the pits? Marcus J. Ranum (Oct 17)