Stephen Kent wrote: > At 8:11 AM -0700 8/21/07, Frank Siebenlist wrote: >> In our deployments, we see more and more that PKI is not the primary >> authentication mechanism and that online-CAs are used to obtain >> pk-credentials, which means that this pki-trust is derived from other >> already pre-configured primary authentication mechanisms, like shared >> secrets, username/password, kerberos, OTP, etc. > > I believe your experience is an accurate characterization for the grid > computing community, but not most other communities who make use of PKI.
Well...I wouldn't dismiss our experience too fast. The grid community has a lot of experience with the old fashion, heavy weight PKI infrastructure with "real" CAs issuing long-lived certs to users - probably more than most other commercial applications as the last time I checked real PKI never lived up to its promise (who are all those other communities that you are referring to ?). The reasons why there is a push towards online CAs is because the heavy administrative burden associated with running a double authN infrastructure, and because of security concerns. Our experience is that most organizations already have (at least...) one identity management systems in place, which is "never" based on PKI and they will not and cannot abandon that for a PKI. Being able to leverage an existing identity management system is very compelling. Lastly, issuing short-lived certs also removes the revocation issues; dealing with those was never a strong point of PKI (it actually leaves the revocation issue with the other Id management system). The security issue with long lived certs has to do with the fact that we cannot trust the desktops anymore because of all the compromises through worms, viruses, bots, etc. Storing private keys on desktops protected by pass-phrases is a loosing proposition and compromised keys are expensive from a revocation, recovery, and management point of view. So unless you can rely on smartcards for your private key store and signing, your deployment is saver and recovery is easier when you rely on passwords/OTP with onlineCAs+sortlived-certs. I wouldn't be surprised if the grid communities' pki-experience could be applied to many other communities in the (near) future, which would make it too bad if this effort wouldn't accommodate a more broader view on "PKI". -Frank. -- Frank Siebenlist [EMAIL PROTECTED] The Globus Alliance - Argonne National Laboratory
