RE: PKI is the pits?

["Eugene Kuznetsov" <eugene () datapower com>]

I read this, and I'm not impressed. I'd like to offer the following
commentary:

1. in my experience, public key cryptography is far more prevalent that full
public key infrastructure, which means that many of these additional
complications are simply not present... obviously, sometimes this is a
security risk; the definition of PKI seem to vary in the eye of the beholder

2. simpler protocols and solutions are far more prevalent than their more
advanced cousins; for example, people use simple HTTP-CRL's much more than
OCSP; sometimes "key revocation" is accomplished by simply deleting
authorized certs from gateways or servers

3. every large organization has some kind of PKI in place, although its
penetration into all of the applications is often limited; this is probably
because both of the challenges cited and the lack of strong business
requirement

4. one of the most frequent uses of "PKI" is partners connecting to
extranets by using mutually authenticated SSL; usually there is absolutely
no "infrastructure", other than loading authorized cert (or signing cert)
onto the access control proxy or maybe into LDAP; revocation involves
deleting the cert. 

5. some of the work in XKMS and web services more generally does address
some of the traditional pkI challenges, and also creates a new field of
application for the technology; digital signatures of individual
transactions and public key encryption are probably getting more used now
than in the preceding 20 years, precisely because of WS-Security, SAML, etc;
unfortunately, XKMS is not taking off as quickly as one might hope



\\ Eugene Kuznetsov, Chairman & CTO  : eugene () datapower com 
\\ DataPower Technology, Inc.        : Web Services security 
\\ http://www.datapower.com          : XML-aware networks   

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Christopher Hicks
> Sent: Tuesday, October 12, 2004 9:38 PM
> To: Firewall Wizards Mailing List
> Subject: [fw-wiz] PKI is the pits?
>
> I got this in my Linux Today newsletter for today:
>
>       EBCVG: TEN THINGS I WISH THEY WARNED ME ABOUT PKI
>
>       "In this paper we look at a number of pratical organizational
>       issues that pure PKI suppliers often fail to mention..."
>
>       COMPLETE STORY:
>       
> http://nl.internet.com/ct.html?rtr=on&s=1,166k,1,48kz,m734,bfaz,g6x1
>
> My read of the actual article (which you can find directly at 
> http://www.ebcvg.com/articles.php?id=271 if you want to avoid getting 
> clicktracked) ... the actual article is much more scathing 
> than this short 
> summary would indicate.  I don't think many folks would even try to 
> implement PKI after reading this.  So, as a rather lazy Linux 
> admin I'm 
> compelled to ask: do others who have swallowed the PKI pill 
> lived to tell 
> the story?  Is it really this bad?  What can be done better?  
> Is anybody 
> trying to do it better?
>
> -- 
> </chris>
>
> Westheimer's Discovery:
>    "A coupla months in the laboratory can save a coupla hours 
> in the library."
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards