Challenges to PKI Deployment 

Stephen Kent

Chief Scientist - BBN Technologies

Co-chair: PKIX WG - IETF

Presentation to the Asia PKI Forum, Shanghai China, July 2004.

Excellent expose of some of the traditional problems CAs got themselves into with one size fits all certificates.  From Kent's slides:

"Most PKIs focus on identifying entities (users, devices, etc.)  as a basis for machine enforced authorization or for human value judgments (“do I trust e-mail from him?”). Thus CAs emphasize the procedures they use to verify the identity of certificate subjects.

"For big CAs, there is an implicit assumption that a single certificate is all that a user should need. This assumes that one identity is sufficient for all applications, which contradicts experience."