That depends how you connect the links. A serial chain is only as strong as its weakest link. Metaphor is no substitute for analysis, as stephen jay gould frequently obsered humans are poor judges of probability -----Original Message----- From: Einar Stefferud Sent: Mon Jun 09 20:38:27 2003 To: Hallam-Baker, Phillip Cc: ietf@ietf.org Subject: RE: Certificate / CPS issues Seems to me that if it is a chain (?) ... Then it is only as strong as its weakest link, which ever link it might be...\Stef At 20:11 -0700 6/9/03, Hallam-Baker, Phillip wrote: >Number of steps is not a determinant of security. > >Strength of each step and of the agregate chain is what matters. > >Strength comes from discipline and process. > >The surest way to create insecurity is to fear everything you cannot control > > > > -----Original Message----- >From: Christian Huitema >Sent: Mon Jun 09 17:32:51 2003 >To: Hallam-Baker, Phillip; ietf@ietf.org >Subject: RE: Certificate / CPS issues > > > I dispute the lower risk claim. You have more control. More control >does > > not mean less risk. > >The PKI and the PGP model both have risks, just different risks. The PGP >model only involves the two parties; it brings the risk that the two >parties misidentify each other. The PKI model involves a third party, >supposedly trusted by both players; it brings the risk that the third >party may make mistakes, or that the two parties mistakenly assign too >much trust to a third party. Also, any large centralized service is >bound to become a target for government and other entities. > >-- Christian Huitema