[Trying to get this posted to the moderated cryptography list...] Peter Gutmann should be declared an international resource. With one foot in the commercial world, one in the government world and one in the cypherpunk world, he has a rare perspective on the big security issues. His irreverance, iconoclasm, frankness and humor make his essays a joy to read. Having said that, his recent analysis[1] falls prey to the conventional wisdom in certain respects. This gives him a curious blindness which contrasts with his usual clear vision. He scrupulously shines his light on all the dirty corners which the powers-that-be would like to keep hidden, all the while ignoring the elephant standing in the middle of the room. First is the fundamental claim that PKI is not working. Peter goes into detail about all the problems that are keeping PKI from success: CRLs, user interface problems, cost issues, etc. It's a sad litany of failure. Only one little thing mars this picture. PKI IS A TREMENDOUS SUCCESS WHICH IS USED EVERY DAY BY MILLIONS OF PEOPLE. Of course this is in reference to the use of public key certificates to secure ecommerce web sites. Every one of those https connections is secured by an X.509 certificate infrastructure. That's PKI. One might even go so far as to say that PKI saved the internet, by allowing people to engage in commerce without fear. People have been trained to look for the lock icon which tells them that they have a secure connection and can safely enter their credit card information. Certainly it is true that the internet today would be vastly different if we did not have a deployed, successful, and heavily utilized public key infrastructure. Any discussion of PKI's supposed failure ought to at least recognize that it has been an overwhelming success in this extremely important market segment. Another, less fundamental but equally annoying, blind spot is Peter's allegience to what is conventional wisdom in certain circles, namely that global names do not exist. It's one thing for Carl Ellison to make such a claim; after all, he's worn his SPKI blinders for so long that they have practically grafted themselves onto his head. But someone like Peter ought to be capable of a little more independent thought. Peter even goes so far as to refer to "a locally unique identifier such as an email address." Anyone who would refer to an email address as being only locally unique is blinding himself most carefully. The truth is that we are surrounded by globally unique identifiers and we use them every day. URLs, email addresses, DNS host names, Freenet selection keys, ICQ numbers, MojoIDs, all of these are globally unique! "pgut001@cs.auckland.ac.nz" is a globally unique name; you can use that address from anywhere in the world and it will get to the same mailbox. The existence of globally unique identifiers may not fit into some people's ideology but it is a matter of fact all the same. And likewise with the fact that there are extremely important areas where PKI has been massively successful. Let's hope that Peter's legendary clear vision will allow him to pierce the orthodoxy that comes from his friends as easily as that which comes from outsiders. === [1] http://www.cs.auckland.ac.nz/~pgut001/pubs/notdead.zip