Having worked in the "PKI" field for a loooonnnnggg time now, there are a couple of points I'd like to make: - any system which relies on one entity to be globally "trusted" by everybody for everything (or alternatively, one entity to be authoritative for everything) is doomed to failure. - unfortunately, many people when hearing the phrase "public key infrastructure" thinks that that is what is meant/required, even though most of us working in the field know that it's not required. Keith Moore had an outstanding list a number of transactions ago: I trust my boss to make statements about my job. I trust my landlord to make statements about the house I rent from him. I trust my mother and my siblings to make statements about my immediate family. I trust my mother and my siblings to make statements about the identities of other family members. I trust the State of Tennessee to make statements about the identities of state agencies. I trust state agencies to make statements about which they have authority: (e.g. automobile licensing) but not to make statements about things that are outside of their purview. I trust the United States government to make statements about the identifies of US government agencies. I trust US government agencies to make statements about which the agency has authority: (e.g. aircraft licensing, federal income tax) but not to make statements about things which are outside of their purview. I trust my employer to make assertions about the identities of its officers and/or other employees, for the purpose of establishing identity for work-related communications, but not for other purposes. The word "trust" seems to be a hot button for a lot of people. Put it another way: Keith "trusts" those entities for those purposes because those entities are AUTHORITATIVE for those purposes. - The boss is AUTHORITATIVE for your job. That's the way "employment" works - within limits, what the boss says you do, applies to you and you do it. - The landlord is AUTHORITATIVE for the property you rent. She owns it. - Your mother and siblings are AUTHORITATIVE for the family members. ... and so on. And this is as it should be. Suppose you have a state agency called the Motor Vehicle Administration or Department of Motor Vehicles or... Their job, by charter is to (a) determine what qualifications should be in order to operate a motor vehicle on public roads; (b) determine that an individual applicant meets those requirements and thus is allowed to operate certain types of motor vehicles on public roads; (c) determine the "safety standards" for a vehicle to be operated by anyone on public roads. Now, do you really want that same agency to issue credentials for, e.g., university students, or issue you a credit card with a spending limit of X; or...? Why should they - it's not their job, and it's not their area of expertise. Keith's list of "trusts" above is a reflection of the real world, and the real world is that way for a whole series of good reasons. It's not perfect, but it works pretty well. The problem with "PKI" is that many people don't want it to reflect/represent the real world; they want it to reflect some imaginary nirvana where everything is efficient and nothing ever slips through the cracks because two organizations use different identifiers. "PKI" is not the way to solve that; it never has been and it never will be. As Paul Hoffman notes, from a technical standpoint PKI (with some adjuncts that enforce privilege management/authorization as well as identification/authentication) can represent pretty much everything you want, now. It can do so using PKIX, using SPKI, or using XKMS, with varying levels of difficulty/complexity. The problem is in agreeing on what exactly it is you want to do, and why you want to do it. (From personal experience, my belief is that the single biggest failure of PKI is the over-hyping and under-delivering of the technology. People were led to believe that once they had a PKI, their problems were solved. That's not the case. I used to hate working with people who had bought a PKI from somebody, not understanding that all they really needed then were the applications that let used the PKI/certificate stuff to do business they way they wanted to do it. The only thing worse was when I worked for a PKI company, and had to work with a customer to whom our sales-critters had just made a sale. To start a conversation with "Joe didn't tell you you still need..." wasn't fun.) Al Arsenault Senior Security Engineer BBN Technologies