[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Beyond the "enterprise case"




At 1:21 AM +0100 7/6/07, Stephen Farrell wrote:
Meanwhile, from my p-o-v (as BoF co-chair), I think I'm seeing a
good deal of agreement about the desirability of handing the
enterprise case, and, so far anyway, no great interest in doing
much more than that, at least right now.

Wait, wait. I didn't see anyone asking about the "much more than that case" or I would have certainly chimed in.

A non-enterprise case that is quite important, and can probably be handled by the same protocol, is that of secure TA updates for individual users. Right now, there are approximately two widely-deployed models:

- Completely trust Microsoft to update your TA list for the OS and all apps that use CAPI when you are validating a signature

- Completely trust Mozilla to update your TA list for their products when you update your Mozilla software.

Maybe there is another useful model. :-)

The "enterprise case" is that your IS department will be trusted. The end user case could be "I trust this group over here, plus I trust my bank, and I trust my government". The pile-o-TAs that you will end up with will probably be less than a third the size of the current models.

The main difference between this model and where we might go with the "enterprise case" is that there is an explicit understanding that the relying party will possibly / probably trust multiple independent TA administrators.

--Paul Hoffman, Director
--VPN Consortium