[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISODE Consortium X.509 Certification system


        thanks for forwarding this to me.

        It really bothers me whenever I see someone mouthing plattitudes
about certificates, like: 

>The ITU-T, through X.509, recommend strong authentication based on public 
>key cryptosystems as the basis for providing secure services. The ISODE 
>Consortium uses X.509 as the core of its security strategy. 
>X.509 provides a flexible, scaleable and manageable algorithm-independent 
>authentication infrastructure, which can be used as the basis for a wide
>range of security services such as message encryption and access control. 

Fact is, identity certification (which is what X.509 gives) is neither
necessary nor sufficient for providing secure services -- and there's
nothing magic about X.509.

There are marketeers, however, who want the world to believe that the
generation and use of X.509 certs will somehow give you security -- so they
can sell machinery or a service which makes those certs.

 - Carl

P.S.  My USENIX paper giving the case against certification authorities is
on-line now at <ftp://ftp.clark.net/pub/cme/usenix.ps> =

|Carl M. Ellison       [email protected]    http://www.clark.net/pub/cme |
|   PGP 2.6.2: 61 E2 DE 7F CB 9D 79 84  E9 C8 04 8B A6 32 21 A2    |
+-Officer, officer, arrest that man. He's whistling a dirty song.--+