[OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11
pbaker at verisign.com
Mon Jan 22 20:45:49 UTC 2007
SSL achieves the original security goals set for it.
SSL does not achieve every security goal, that is not a failure. Certainly there are no grounds for the claim PKI has failed when it has succeeded in its original limited goals.
I agree that the original goals were too narrow. That is an argument I made ten years ago.
This is partly about correcting that original mistake.
> -----Original Message-----
> From: Ka-Ping Yee [mailto:openid at zesty.ca]
> Sent: Monday, January 22, 2007 3:05 PM
> To: Hallam-Baker, Phillip
> Cc: James A. Donald; Ben Laurie; specs at openid.net;
> openid-general; heraldry-dev at incubator.apache.org
> Subject: Re: [OpenID] Announcing OpenID Authentication 2.0 -
> Implementor'sDraft 11
> On Mon, 22 Jan 2007, Hallam-Baker, Phillip wrote:
> > On the contrary, PKI is the basis of the security
> infrastructure that
> > so far has provided the greatest defense against Internet
> crime - SSL.
> > Judged by any rational set of standards SSL has been the most
> > successful security protocol of all time. The costs of the PKI
> > infrastructure are negligible compared to the value of the
> commerce it
> > supports.
> In practice SSL is primarily used to establish an encrypted
> channel between endpoints, not to establish reliable
> reciprocal identification.
> Given that almost no users pay any attention to certificates,
> what reason do we have to believe that SSL succeeds because
> of PKI, rather than in spite of it?
> By what rational set of standards do you evaluate PKI -- how
> frequently it is used, or how much fraud it actually prevents?
> -- ?!ng
More information about the general