[OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11

Hallam-Baker, Phillip pbaker at verisign.com
Mon Jan 22 20:45:49 UTC 2007

SSL achieves the original security goals set for it.

SSL does not achieve every security goal, that is not a failure. Certainly there are no grounds for the claim PKI has failed when it has succeeded in its original limited goals.

I agree that the original goals were too narrow. That is an argument I made ten years ago.

This is partly about correcting that original mistake.

> -----Original Message-----
> From: Ka-Ping Yee [mailto:openid at zesty.ca] 
> Sent: Monday, January 22, 2007 3:05 PM
> To: Hallam-Baker, Phillip
> Cc: James A. Donald; Ben Laurie; specs at openid.net; 
> openid-general; heraldry-dev at incubator.apache.org
> Subject: Re: [OpenID] Announcing OpenID Authentication 2.0 - 
> Implementor'sDraft 11
> On Mon, 22 Jan 2007, Hallam-Baker, Phillip wrote:
> > On the contrary, PKI is the basis of the security 
> infrastructure that 
> > so far has provided the greatest defense against Internet 
> crime - SSL.
> >
> > Judged by any rational set of standards SSL has been the most 
> > successful security protocol of all time. The costs of the PKI 
> > infrastructure are negligible compared to the value of the 
> commerce it 
> > supports.
> In practice SSL is primarily used to establish an encrypted 
> channel between endpoints, not to establish reliable 
> reciprocal identification.
> Given that almost no users pay any attention to certificates, 
> what reason do we have to believe that SSL succeeds because 
> of PKI, rather than in spite of it?
> By what rational set of standards do you evaluate PKI -- how 
> frequently it is used, or how much fraud it actually prevents?
> -- ?!ng

More information about the general mailing list