Comments in-line, prefaced by my initials "AWA". Al Arsenault > -----Original Message----- > From: Masataka Ohta [mailto:mohta@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Monday, December 15, 2003 2:15 PM > To: Al Arsenault > Cc: Franck Martin; Paul Hoffman / IMC; Keith Moore; ietf@xxxxxxxx > Subject: Re: PKIs and trust > > > Al Arsenault; > > > Having worked in the "PKI" field for a loooonnnnggg time now, > > Where can I find an authoritative reference on what "PKI", by > your definition, means? > AWA: See, for example http://www.ietf.org/internet-drafts/draft-ietf-pkix-roadmap-09.txt >From Section 1.2: Public Key Infrastructure (PKI) - The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke PKCs based on public-key cryptography. Note that there's nothing in there about USING the keys/certificates to accomplish any particular (business or other) task. In other words, the applications are external to the PKI. Section 2 of that draft has some more details. > > - unfortunately, many people when hearing the phrase "public key > > infrastructure" thinks that that is what is meant/required, > even though most > > of us working in the field know that it's not required. > > That's a fair statement, if you can clarify what, then, are required. > > > (From personal experience, my belief is that the single biggest > failure of > > PKI is the over-hyping and under-delivering of the technology. > People were > > led to believe that once they had a PKI, their problems were > solved. That's > > not the case. I used to hate working with people who had bought > a PKI from > > somebody, not understanding that all they really needed then were the > > applications that let used the PKI/certificate stuff to do > business they way > > they wanted to do it. The only thing worse was when I worked for a PKI > > company, and had to work with a customer to whom our > sales-critters had just > > made a sale. To start a conversation with "Joe didn't tell you > you still > > need..." wasn't fun.) > > It seems to me that you think PKI not only exists but also > can be purchased. AWA: Hmm - my terminology in my original posting was a bit suboptimal. *Part* of the PKI can be purchased - namely, the hardware and software. The "people, policies, and procedures" bits get tricky - you generally cannot buy them. (You can often buy "generic" policies and procedures manuals that have to be tailored to your specific environment/rules, but you can't buy a canned solution.) Those are also the parts over which many folk who have tried to implement PKI have stumbled. In the original message, I should have said "PKI hardware/software" or similar terms, rather than "a PKI". Mea culpa. And, of course, the actual applications/business processes still have to be provided from somewhere else. > > So, where can I find your definition of "PKI"? > > URLs please. > > Masataka Ohta >