Re: Making PKI universally usable - was: Re: Acquisition Problem Solved for some certs?
2003-07-01 00:11:46 GMT
Hi, Isn't the telephone solution an "online" solution? Antonio Maña. > Peter - Tom - in addition to the really powerful set of verification rules > that Tom came up with here (bravo TG!), there is another problem with making > PKI acceptable to the real-world... and that problem is that this type of > verification **mandates** online services and for any number of certificate > based infrastructures. > > The problem is that we as commercial users **would** really like to be able > to use x509 PKI's offline, and that also can be done. To meet this need I > would suggest that an OOB validation process using the Telephone (yes a > standard Touch Tone POTS should work just fine)... > > All you would have to do is to call the number and key in the finger print > of the cert which the provider could tell you if its valid from them > currently - or could the 'responder' issue a One-Time Token to satisfy some > installer function with this certificate as part of OOB installer practice. > > The way to do this is with a local OCSP or CRL responder applet that uses a > soft-token as part of the verification process based on the certs > fingerprint... or somesuch. > > This simple addition to the technology base totally makes x509 certs capable > of being used offline as well as the basis of a stand-alone process... >(Continue reading)