Number of steps is not a determinant of security. Strength of each step and of the agregate chain is what matters. Strength comes from discipline and process. The surest way to create insecurity is to fear everything you cannot control -----Original Message----- From: Christian Huitema Sent: Mon Jun 09 17:32:51 2003 To: Hallam-Baker, Phillip; ietf@ietf.org Subject: RE: Certificate / CPS issues > I dispute the lower risk claim. You have more control. More control does > not mean less risk. The PKI and the PGP model both have risks, just different risks. The PGP model only involves the two parties; it brings the risk that the two parties misidentify each other. The PKI model involves a third party, supposedly trusted by both players; it brings the risk that the third party may make mistakes, or that the two parties mistakenly assign too much trust to a third party. Also, any large centralized service is bound to become a target for government and other entities. -- Christian Huitema