Re: [TLS] the use cases for GSS-based TLS and the plea for integrating

Martin Rex <Martin.Rex@sap.com> Fri, 27 July 2007 15:11 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IERTa-0007au-9J; Fri, 27 Jul 2007 11:11:34 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IERTZ-0007ao-5v for tls@ietf.org; Fri, 27 Jul 2007 11:11:33 -0400
Received: from smtpde02.sap-ag.de ([155.56.68.170]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IERTY-0006jR-Ls for tls@ietf.org; Fri, 27 Jul 2007 11:11:33 -0400
Received: from sap-ag.de (smtpde02) by smtpde02.sap-ag.de (out) with ESMTP id RAA15268; Fri, 27 Jul 2007 17:11:26 +0200 (MESZ)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200707271508.l6RF8I9S018387@fs4113.wdf.sap.corp>
Subject: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
To: pgut001@cs.auckland.ac.nz
Date: Fri, 27 Jul 2007 17:08:18 +0200
In-Reply-To: <20070728020702.2x3rc53g7bksocc0@webmail.cs.auckland.ac.nz> from "pgut001@cs.auckland.ac.nz" at Jul 28, 7 02:07:02 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

pgut001@cs.auckland.ac.nz wrote:
> 
> For how many more years do we have to keep flogging the PKI corpse?  If it
> worked as intended, the multibillion-dollar phishing industry wouldn't exist.
> Why keep it mandatory to implement something that very demonstrably doesn't
> work?

I beg to differ.

PKI does work.  However, the marketplace has different preferences
for a number of good reasons (IPR issues and operational costs among them).

secret-key or shared-secret authentication comes in all different flavours
and every human being learns the concept behind at a young age and
not necessarily as a software implementation.

public key technology and authentication through public key technology
is different and its complexity appears to be beyond the scope of
many non-technical people.  Where it is used, pushed and advertised,
it is often a part of a MUCH more complex thing called PKI and
cluttered with the ridiculous bloat called X.509 certificate and
the concept of "trusted (certification) authorities".


If Public Key technology was more along the line of the original
models of SSH and PGP, it would likely be used much more often.


-Martin

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls