Firewall Wizards mailing list archives
RE: PKI is the pits?
From: "Eugene Kuznetsov" <eugene () datapower com>
Date: Sat, 16 Oct 2004 19:40:09 -0400
I read this, and I'm not impressed. I'd like to offer the following commentary: 1. in my experience, public key cryptography is far more prevalent that full public key infrastructure, which means that many of these additional complications are simply not present... obviously, sometimes this is a security risk; the definition of PKI seem to vary in the eye of the beholder 2. simpler protocols and solutions are far more prevalent than their more advanced cousins; for example, people use simple HTTP-CRL's much more than OCSP; sometimes "key revocation" is accomplished by simply deleting authorized certs from gateways or servers 3. every large organization has some kind of PKI in place, although its penetration into all of the applications is often limited; this is probably because both of the challenges cited and the lack of strong business requirement 4. one of the most frequent uses of "PKI" is partners connecting to extranets by using mutually authenticated SSL; usually there is absolutely no "infrastructure", other than loading authorized cert (or signing cert) onto the access control proxy or maybe into LDAP; revocation involves deleting the cert. 5. some of the work in XKMS and web services more generally does address some of the traditional pkI challenges, and also creates a new field of application for the technology; digital signatures of individual transactions and public key encryption are probably getting more used now than in the preceding 20 years, precisely because of WS-Security, SAML, etc; unfortunately, XKMS is not taking off as quickly as one might hope \\ Eugene Kuznetsov, Chairman & CTO : eugene () datapower com \\ DataPower Technology, Inc. : Web Services security \\ http://www.datapower.com : XML-aware networks
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Christopher Hicks Sent: Tuesday, October 12, 2004 9:38 PM To: Firewall Wizards Mailing List Subject: [fw-wiz] PKI is the pits? I got this in my Linux Today newsletter for today: EBCVG: TEN THINGS I WISH THEY WARNED ME ABOUT PKI "In this paper we look at a number of pratical organizational issues that pure PKI suppliers often fail to mention..." COMPLETE STORY: http://nl.internet.com/ct.html?rtr=on&s=1,166k,1,48kz,m734,bfaz,g6x1 My read of the actual article (which you can find directly at http://www.ebcvg.com/articles.php?id=271 if you want to avoid getting clicktracked) ... the actual article is much more scathing than this short summary would indicate. I don't think many folks would even try to implement PKI after reading this. So, as a rather lazy Linux admin I'm compelled to ask: do others who have swallowed the PKI pill lived to tell the story? Is it really this bad? What can be done better? Is anybody trying to do it better? -- </chris> Westheimer's Discovery: "A coupla months in the laboratory can save a coupla hours in the library." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PKI is the pits? Christopher Hicks (Oct 14)
- Re: PKI is the pits? Bennett Todd (Oct 14)
- RE: PKI is the pits? Eugene Kuznetsov (Oct 17)
- RE: PKI is the pits? Marcus J. Ranum (Oct 17)
- PIX Books Shimon Silberschlag (Oct 22)
- Re: PIX Books Josh Welch (Oct 22)
- Re: PIX Books greg padden (Oct 22)
- Re: PIX Books Matthew Powell (Oct 25)
- RE: PIX Books sci-admin (Oct 30)
- RE: PKI is the pits? Eugene Kuznetsov (Oct 22)
- RE: PKI is the pits? Marcus J. Ranum (Oct 17)