Bill, thanks for forwarding this to me. It really bothers me whenever I see someone mouthing plattitudes about certificates, like:
The ITU-T, through X.509, recommend strong authentication based on public key cryptosystems as the basis for providing secure services. The ISODE Consortium uses X.509 as the core of its security strategy. X.509 provides a flexible, scaleable and manageable algorithm-independent authentication infrastructure, which can be used as the basis for a wide range of security services such as message encryption and access control.
Fact is, identity certification (which is what X.509 gives) is neither necessary nor sufficient for providing secure services -- and there's nothing magic about X.509. There are marketeers, however, who want the world to believe that the generation and use of X.509 certs will somehow give you security -- so they can sell machinery or a service which makes those certs. - Carl P.S. My USENIX paper giving the case against certification authorities is on-line now at <ftp://ftp.clark.net/pub/cme/usenix.ps> = <http://www.clark.net/pub/cme/usenix.ps> +------------------------------------------------------------------+ |Carl M. Ellison cme@acm.org http://www.clark.net/pub/cme | | PGP 2.6.2: 61 E2 DE 7F CB 9D 79 84 E9 C8 04 8B A6 32 21 A2 | +-Officer, officer, arrest that man. He's whistling a dirty song.--+