incubator-heraldry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hallam-Baker, Phillip" <pba...@verisign.com>
Subject RE: [OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11
Date Mon, 22 Jan 2007 20:45:49 GMT
SSL achieves the original security goals set for it.

SSL does not achieve every security goal, that is not a failure. Certainly there are no grounds
for the claim PKI has failed when it has succeeded in its original limited goals.

I agree that the original goals were too narrow. That is an argument I made ten years ago.

This is partly about correcting that original mistake.

> -----Original Message-----
> From: Ka-Ping Yee [mailto:openid@zesty.ca] 
> Sent: Monday, January 22, 2007 3:05 PM
> To: Hallam-Baker, Phillip
> Cc: James A. Donald; Ben Laurie; specs@openid.net; 
> openid-general; heraldry-dev@incubator.apache.org
> Subject: Re: [OpenID] Announcing OpenID Authentication 2.0 - 
> Implementor'sDraft 11
> 
> On Mon, 22 Jan 2007, Hallam-Baker, Phillip wrote:
> > On the contrary, PKI is the basis of the security 
> infrastructure that 
> > so far has provided the greatest defense against Internet 
> crime - SSL.
> >
> > Judged by any rational set of standards SSL has been the most 
> > successful security protocol of all time. The costs of the PKI 
> > infrastructure are negligible compared to the value of the 
> commerce it 
> > supports.
> 
> In practice SSL is primarily used to establish an encrypted 
> channel between endpoints, not to establish reliable 
> reciprocal identification.
> Given that almost no users pay any attention to certificates, 
> what reason do we have to believe that SSL succeeds because 
> of PKI, rather than in spite of it?
> 
> By what rational set of standards do you evaluate PKI -- how 
> frequently it is used, or how much fraud it actually prevents?
> 
> 
> -- ?!ng
> 

Mime
View raw message