From: Carl Ellison <cme@cybercash.com>
To: stewarts@ix.netcom.com
Message Hash: d0b2d2063c3c40bca320d6edc4d4de1962a2146914a71e0d278c9a752046a033
Message ID: <3.0b11.32.19960912105914.0054f7b0@cybercash.com>
Reply To: N/A
UTC Datetime: 1996-09-12 19:20:38 UTC
Raw Date: Fri, 13 Sep 1996 03:20:38 +0800
From: Carl Ellison <cme@cybercash.com>
Date: Fri, 13 Sep 1996 03:20:38 +0800
To: stewarts@ix.netcom.com
Subject: Re: ISODE Consortium X.509 Certification system
Message-ID: <3.0b11.32.19960912105914.0054f7b0@cybercash.com>
MIME-Version: 1.0
Content-Type: text/plain
Bill,
thanks for forwarding this to me.
It really bothers me whenever I see someone mouthing plattitudes
about certificates, like:
>The ITU-T, through X.509, recommend strong authentication based on public
>key cryptosystems as the basis for providing secure services. The ISODE
>Consortium uses X.509 as the core of its security strategy.
>X.509 provides a flexible, scaleable and manageable algorithm-independent
>authentication infrastructure, which can be used as the basis for a wide
>range of security services such as message encryption and access control.
Fact is, identity certification (which is what X.509 gives) is neither
necessary nor sufficient for providing secure services -- and there's
nothing magic about X.509.
There are marketeers, however, who want the world to believe that the
generation and use of X.509 certs will somehow give you security -- so they
can sell machinery or a service which makes those certs.
- Carl
P.S. My USENIX paper giving the case against certification authorities is
on-line now at <ftp://ftp.clark.net/pub/cme/usenix.ps> =
<http://www.clark.net/pub/cme/usenix.ps>
+------------------------------------------------------------------+
|Carl M. Ellison cme@acm.org http://www.clark.net/pub/cme |
| PGP 2.6.2: 61 E2 DE 7F CB 9D 79 84 E9 C8 04 8B A6 32 21 A2 |
+-Officer, officer, arrest that man. He's whistling a dirty song.--+
Return to September 1996
Return to “Carl Ellison <cme@cybercash.com>”