On Sun, 14 Dec 2003 12:09:37 PST, Paul Hoffman / IMC said:
All of that is describable, and many vendors have such products. There are no standards (or none that are significantly followed) for such assertions. So? Many different PKIs can handle such assertions, once you codify them.
I'm having a very hard time as reading this as anything except "Sure, the PKI's out there could do it, if we only understood it well enough to come up with a consistent way that would work for everybody. And since the PKI could deal with it if we knew what we wanted it to deal with, it's not a problem for actual production use of a PKI now".
Try harder then. Maybe try "The PKI works fine for this, as does the signed messages, and we understand what we want, but we can't figure out how to trust the other humans in the process." You can't find "a consistent way that would would for everybody" if they can't define why and how they trust each other.
There are literally billions of dollars that can be saved if someone can figure out how to get the human trust part to work. Given that the technical end of the PKI world has not changed much in the past five years, it's pretty clear that if someone is leaving billions of dollars on the table, the problem is pretty difficult and not prone to a technical fix.
This has nearly nothing to do with the technical part of the PKI, and everything to do with the humans.
--Paul Hoffman, Director --Internet Mail Consortium