Franck Martin; >>That you can construct a PK structure to represent a set of trust >>relationships for some purpose does not mean that there is some >>general purpose PKI. >> >>There isn't. >> >>That is, that you must construct a PK structure for every different >>purpose is not a software issue but an operational problem too complex >>and costly to be solvable. > Hmmm, we talked about some of it... Maybe. However there are other reasons why PKI is hopeless. The other two problems are: CAs of PKI, if any, is just as reliable as ISPs. That is, if you can just rely on CAs, you can just rely on ISPs that your communication is just secure. Otherwise, you must assume that your or your peers CA, on which you have no control over, is compromised. So, virtual MitM in CAs between you and your peer is just as harmful as MitM in ISPs between you and your peer. PKIs, if any, is no useful for authentication on consumable credential. The only merit of PK with CA over shared key with KDC is that no communication with CAs is necessary for every transaction. However, it means that there is no entity to check the amount of remaining credential. So, if an attacker has a certificate to be used for 1,000USD of transaction, the attacker can use the certificate for 1,000 second 1,000 times a second from 1,000 different locations, total damage of which is 1,000,000,000,000USD for personal benifit of the attacker or for economical terrorism to ruin the world wide economy. In short, CAs are intermediate intelligent entities not knowing the precise current state of communications (e.g. remaining credential) that introduction of such CAs is the direct violation of the end to end principle. So, PKI is even less hopeful than IPv6. Masataka Ohta