Hi Guys, Thank you for taking on the p2 challenge!
Although the responses were rather different, AFAICT, they all required new security infrastructure beyond what is offered by the enterprise (employee) PKI which is (from my perspective) the interesting part since the consultants that for example the US government use, claim that this use-case is completely within the realm of the enterprise PKI, and does neither require new standards nor services. Since the people who actually design systems do not have any guidelines of how to do this, they do what you could expect even when they are performing explorative research: http://www.mel.nist.gov/msid/b2btestbed That is, exclude security from the design completely! Naturally there is more than one solution but if I were to create a blueprint, I would reuse what I believe is the only proven methodology which is introducing the new entity "system" in the plot. The former is the foundation for most financial industry transaction networks like SWIFT etc. Such solutions do not only address encryption but (system) authentication as well. That is, PSS and OSS communicate through a dedicated secure messaging system, that is completely independent of the schemes used to secure employee-to-system communication. This principle is BTW also a direct copy of the original land-line phone system where phone/user authentication is through a specific cable and PSS/OSS represent operators. That's what I call time-tested! It sure has flaws from a security point of view but that doesn't imply that improved security solutions need to change everything (at once) because that may give unwanted side-effects like limited migration capability. It has been claimed that I bash PKI. I would rather say that I bash solutions that ignore efficiency, decentralization, and scalability. It is pretty clear that true end-to- end security solutions based on static message encryption have much more limitations (outside of the enterprise) than most people are aware of. The US government has IMO been swindled by people who have vested interests keeping prices in the outrageous category rather than trying to see how they could keep costs down. Since PKI is rather much a government thing and the US has the by far largest budget and influence, this is not an entirely US-only-question. http://www.gcn.com/online/vol1_no1/40429-1.html “We’ve backed the wrong horse any number of times,” Anders _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
