[2550] in cryptography@c2.net mail archive
RE: Reply to "ABA" becomes root CA for financial services industry
daemon@ATHENA.MIT.EDU (Rick Smith)
Tue Apr 21 17:12:34 1998
In-Reply-To: <000801bd6a42$32ba5520$708394c6@ns95lap005.nscc.com>
Date: Fri, 17 Apr 1998 16:32:03 -0500
To: "Dwight Arthur" <dwightarthur@mindspring.com>,
"Kawika Daguio" <Kdaguio@aba.com>, <dcsb@ai.mit.edu>,
<cryptography@c2.net>, <dbs@philodox.com>
From: Rick Smith <rick_smith@securecomputing.com>
Cc: <alivings@aba.com>, <jbyrne@aba.com>, <tgreco@aba.com>
At 4:48 PM -0400 4/17/98, Dwight Arthur wrote:
>Wow, is it officially Spam when I reply to all these lists at once?
It's spam if it's a "bad" message, not if it's a "good" one. I'll leave any
remaining uncertainty as an exercise to the reader.
>Rick, do you know the ABA effort to be devoid of bottom-up drivers?
The PKI activity shows that the ABA is investing in helping banks use
public key cryptography. This is going to encourage public key applications
at every level by giving it a sanction from a central voice in the banking
community. I see that as a "bottom up" driver.
The point isn't that ABA is ignoring or discouraging bottom up activities
(I don't have any evidence either way of this, aside from what I said
above). My point is that the PKI's best choices for roles and
responsibilities, and the corresponding technical requirements are based on
how things work in practice. I haven't seen significant discussion of
extensive real world use of public key technology by banks.
I'm just skeptical about making significant progress on a top-down PKI
until we have operating experience at the lower levels. Perhaps experience
will show that we don't even need a formalized PKI at the top level. At the
very least, customer level operating experience is going to produce new
requirements on PKI behavior. Hopefully these won't affect the first
generation ("top down") implementation too badly.
> Most
>major banks and brokerage firms in my experience are at least planning for
>how they will issue and/or use certificates, and in a number of cases they
>are in the second year of pilot or rollout. There are some efforts, such as
>the NACHA/IC CA Interoperability Pilot, where banks have driven over the
>line into how they will exchange certificates with each other. This is
>defined as a "rootless" pilot but as the banks worked out the logistics of a
>five-way key exchange it turned out that a single directory source is
>valuable. ABA's not in this pilot but some people in the pilot are also
>working with ABA. This feels bottom up to me.
I love hearing stories about how these things work out in practice. If
anyone is producing reports on lessons learned (what works, what doesn't)
then I'd be honored to have the opportunity to look at them. Cryptographic
technology has so much promise, and it's been used so narrowly in the past.
I can't wait to see what real people do with it, and what happens.
Rick.
smith@securecomputing.com
