Practical Implications of Public Key Infrastructure for Identity Professionals - Article Review

[idmken]

1. What is PKI?

• [ ] Line 251 - Should use cases be more agnostic to fit the audience? Instead of TLS, SMIME, and IPSec, is an update for something like PKI a method to prove a transaction cryptographically? Those transactions can be for access, encryption, or signing something. In those generic use cases, you can identify the workforce from customer or private uses.
• [ ] Line 260 - Define electronic signature from digital signature. The audience may not know the difference and think they are the same.

2. Public Key Certificates

• [ ] line 359 - A graphic identifying the different parts of PKI would be a helpful reference.
• [ ] line 363 - Do you need a reference to the "web of trust"? Unclear what that is.
• [ ] Line 383 - Include CA hierarchy if needed. Ambiguous on the cert chain "about the authority that vouches for the association".

3. How are PKI certs like other credentials

• [ ] Line 423 - A graphic that shows a certificate and a break out that shows the top extension items. "You can see in the certificate who issued it, who it was issued to, and xxxx"

4. Options for identifiers

• [ ] Line 718 - Good opportunity for a graphic to show where identifiers are or may look like in a certificate. Maybe a graphic to show Subject DN from common name or UID or mapping to an LDAP DN?

5. X-Certs for PKI

• [ ] Line 790 - Good opportunity for a graphic that shows what is exchanged in the cross-certs.
• [ ] Line 809 - Can you include a use case for cross-certificates between independent CAs? It' is unclear why an organization would do this internally or externally. You kind of have it in the next paragraph for federated trust, but maybe open this section with why.

[hlflanagan]

Thank you for the feedback! The article has gone through significant revisions and a new version posted earlier today.