On 12/02/2008 08:04 PM, Ian G:
Eddy Nigg wrote:
In case of Skype they are the software vendor and control the
software, the issuing instance and also the user
Right, they do everything. One advantage for today: in the case of Skype
we (the user) only have to pay for one organisation. In the case of CAs,
we have to pay for four organisations.
Well, not sure where the payment comes in, but I don't pay personally
for either software, not for certificates and certainly not for my own
private keys. Now where does the "pay" come in?
But besides that, PKI is implemented in this way, because it makes
sense, not because it doesn't. Each party has its responsibilities.
In the case of Skype, they just use the tools relatively wisely to solve
the problems they need to solve. Their particular design eliminates many
of the things that PKI does, but that is simply because their design
meets the security needs and addresses the threat model for their given
application and audience.
Meets the needs of whom? Just because the average user doesn't
understand it (not when using Skype nor when using Firefox or
Thunderbird) doesn't mean that it meets the security needs. It doesn't
for me (for confidentially) and the security theater could be simply
omitted. Same effect.
If I could use my own client certs that would be a different
story....well, yes, it's called PKI...
If there is anything "dictatorial" it is the claim that there is only
one true security model;
Why do you think so many are using PKI? Because it's dictated or because
it solves a problem? I didn't invent it, but it serves the purpose
extremely well, hence I'm using it. Nobody forced me to, it's my own
conclusion.
(When was the last time your security model was updated?)
There are always some smaller moves here and there, however at large no
updating is needed because it works. Or shall I say, the full potential
hasn't been reached yet and PKI will be deployed just about everywhere?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto