On 21 November 2014 15:12, Andrei Sambra <andrei.sambra@gmail.com> wrote: > > > On Fri, Nov 21, 2014 at 7:37 AM, Anders Rundgren < > anders.rundgren.net@gmail.com> wrote: > >> On 2014-11-21 12:58, henry.story@bblfish.net wrote: >> <snip> >> >>> Ok, in your case as you are creating certificates for the BBC (and its >>> partners?), >>> which is a large enough community for these to having meaning. Perhaps >>> an explanation >>> of how you use certificates would be useful. Where do people login with >>> your >>> Certificates? Only on the BBC site? Or also partner sites? >>> >>> In general CA requirements make it impossible to use for any >>> company smaller than the BBC. Particularly it makes it useless >>> for individuals or small companies, as without a CA nobody would >>> recognise their certificate. It would only be useable for their >>> own site, in which case username/passwords would be all that is >>> needed. >>> >> >> Henry, >> PKI (when it works) is just a better version of username/password. >> > Actually it is a lot more than that, and this is probably the "key" (sic) > element you're missing. PKI does not require servers to create and manage > usernames/passwords. Instead, it allows for a completely decentralized > system based on (a certain level) trust. You _cannot_ create > usernames/passwords apriori for the whole planet. :-) > Unless the username is the fingerprint and the password is the key material. > > -- Andrei > >> >> How far a specific certificate takes you is identical to any other login >> mechanism. >> Enterprise certificates typically aren't used outside of the enterprise. >> >> If your company is using AD, PKI comes for free as a part of the MSFT >> package. >> For this market PKI works reasonably well and this is the only market >> MSFT cares about. >> >> Anders >> >> >> >> >
Received on Friday, 21 November 2014 14:16:02 UTC