Paul Hoffman / IMC wrote: > At 4:29 PM -0500 12/14/03, Valdis.Kletnieks@xxxxxx wrote: > >On Sun, 14 Dec 2003 12:09:37 PST, Paul Hoffman / IMC said: > > > >> All of that is describable, and many vendors have such products. > >> There are no standards (or none that are significantly followed) for > >> such assertions. So? Many different PKIs can handle such assertions, > >> once you codify them. > > > >I'm having a very hard time as reading this as anything except "Sure, the > >PKI's out there could do it, if we only understood it well enough to come > >up with a consistent way that would work for everybody. And since the > PKI > >could deal with it if we knew what we wanted it to deal with, it's not a > >problem for actual production use of a PKI now". > > Try harder then. Maybe try "The PKI works fine for this, as does the > signed messages, and we understand what we want, but we can't figure > out how to trust the other humans in the process." You can't find "a > consistent way that would would for everybody" if they can't define > why and how they trust each other. > > There are literally billions of dollars that can be saved if someone > can figure out how to get the human trust part to work. Given that > the technical end of the PKI world has not changed much in the past > five years, it's pretty clear that if someone is leaving billions of > dollars on the table, the problem is pretty difficult and not prone > to a technical fix. > > This has nearly nothing to do with the technical part of the PKI, and > everything to do with the humans. Hence my original comment that the politicians need to broker the trust relationships. There will clearly be multiple technical relationships, with very different characteristics, just as there are for inter-personal trust relationships outside the technical space. The fundamental point is that the IETF is not capable of (nor in any position to) further the deployment of PKI's until the non-technical aspects get resolved. On a global scale that role has traditionally belonged to the ITU, so that would be a good place to go as the next step. There are undoubtedly other organizations that need to be involved on smaller scales, but this is a case where a top-down consistent framework will probably make the technical job easier down the road. Any way you want to define it, this is an aspect of Internet governance, and it clearly doesn't belong to either ICANN or the IETF. Tony