public keys can be used to provide some degree of trust propogation w/o the problems associated with shared secrets ... independent of key-exchange for session confidentiality. certificates were designed to provide for offline trust propogation (i.e. trusted 3rd party generating paper credentials in the days of sailing ships ... for things like letters of credit). two possible online scenerios for online trust propogation was online domain name infrastructure providing public key as part of online hostname resolution response ... and licensing/certification agencies providing public key as part of a trust lookup. Trust propogation also works going from highly authenticated environment ... which might register a public key with a relying party; to a quickly authenticated environment remote, non-face-to-face transactions with digital signature (the digital signature would be a mathematical encapsulation of the authentication business process that occured as part of public key registeration) . Asymmetric algorithms have some advantages over traditional shared-secret algorithms in that there can be lower maintenence expense at the relying party (i.e. security exposure associated with divulging a shared secret). random refs: http://www.garlic.com/~lynn/2000f.html#1 http://www.garlic.com/~lynn/2000f.html#3 John Kelsey on 11/24/2000 12:59:42 PM