I agree. With my mortgage customers (MISMO.org related) I have argued that private certs signed by their business partner is better than a cert issued by a well known cert company. Anyone can buy a cert from the well known company. A cert signed by your business partner can not be bought from any vendor. And if managed correctly they can add/delete employees and application certs real time.
However, PKI does not help e-commerce or financial transactions, as discussed in my recent paper: "Meaninglessness of Public Key Cryptography for Authentication on Consumable Credential" (presented in Japan in Japanese):
Abstract: For electric transactions, the essential benefit of public key cryptography over shared key cryptography is that it is not necessary to communicate with Certificate Authority on each transaction. However, it is meaningless to use public key cryptography for authentication on consumable credentials, such as authentication of remaining credential in account for electric payment, as fraud with tremendous damage is easily performed, unless communication with authorities to manage the account decrease remaining credential is required on each transaction.
The problem of PKI without realtime management of remaining credential is that an attacker can use 1K USD worth of certs from 1000 different locations for 1000 seconds 1000 times a second, total amount of damage of which is 1T USD.
Credential can be created only with direct communication.
Masataka Ohta
--
Doug Royer | http://INET-Consulting.com -------------------------------|----------------------------- Doug@xxxxxxxxx | Office: (208)520-4044 http://Royer.com/People/Doug | Fax: (866)594-8574 | Cell: (208)520-4044
We Do Standards - You Need Standards
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature