Forrester report

[Peter Williams <peter@verisign.com>]

One might wish to consult on the web the Forrester report, volume 1, number 11.
It focuses on the commercial deployment of the PKI pem-dev has been discussing
to years.

One interesting point: it notes in a paragraph titled "Interoperability will be
muddled by limited standards" that "X.509 v3 includes the ability to add custom
fields that always hamper interoperability". (It then has an incompetent
statement about DSS and X.509.)

How quaint. Vendors scream for flexiblity, std extensions are defined, then
the mere
possibility of further flexibility is decried. Perhaps standards wisdom is
available
to help this war weary programmer!

Another interesting point, forseen by PEM designers, is that obviously hihger
level authoriites need to exist to "represent" the trust and
algoirhtm/keying properties
of the domain. I.E. PEM PCAs. 

However, it denotes such a function as a "rating service", versus an integral
part of the trust enviornment as with PEM PCAs. Whilst I dont believe the
rather's liabilities are solved by such a transition, the notion is perhaps
indeed
viable as a refinement of what PCAs really were.

Finally, the report notes that risk management requires that various levels
of "identity confirmation" (what the X.800 std terms "authentication
management") 
will be required.

This is slightly humerous to as many in our industry claim that only a single
a uniform (high) level is tenable to all financial and other user
risks. Didnt PEM start out with this notion too, and learn to drop it!?

Its nice to see 1422 coming of age within only minor cosmetic changes. We
just have to teach folk now the difference between residential and
organizational
telematic service delivery, and we'll be there!

Peter.