On Tue, Mar 2, 2021 at 5:19 PM Michael Thomas <mike@xxxxxxxx> wrote:
On 3/2/21 1:38 PM, Phillip Hallam-Baker wrote:[]
Is this supposed to make me feel better about induced complexity?
Mike
It is much simpler than what we have today and one person has written all the specifications and 90% of the code in 26 months, and I was recovering from whatever I picked up in Singapore for six of those.
Things should be as simple as possible but it is absolutely critical that they not be made simpler. I have 30 years experience with this technology and its application to the real world. The Mesh PKI side is much simpler than PKIX, OpenPGP or SAML but it is not simple. I know what I missed by trying for too much simplicity in XKMS.
So I just looked up ssh certificates which I think somebody
mentioned. This is a prime example of throwing needless complexity
at a problem. If you just added the user's public keys to, say, an
LDAP repo, you get the scaling they claim to be solving for, and
avoid all of the needless complexity of issuing certs and
installing them on the client. The client ssh doesn't need to do
anything different as bonus. With LDAP you get the added bonus
that it can dish out attributes for things like roles and
permissions, which would be a giant headache if it had to be done
with reissued certs every time your role or permission changed.
I'm trying to think of major things that use public key
authentication. There's TLS with certs, DKIM using raw public
keys, and SSH mainly using raw public keys. Am I missing anything
else that is widely deployed? DNSsec and BGP are still pretty
skimpy from what I can tell.
Mike
