"Self-issued certificates have no credibility so cannot be trusted"
How is that? I see the process working like this:
* I sign up for an email account by sending a request with a username and a public key. No need to "trust" the key, because this is an identity creation process.
* My bank issues a smartcard when I create my account, which can be used to log in to their website.
Sure, there are problems -- key revocation and dealing with lost secret keys are probably the biggest. Those problems are shared by passwords. The point is to solve the more glaring problems we have with passwords, like the fact that you need to rely on many different websites to manage passwords securely, or the fact that humans are terrible at picking passwords.
"The tradgedy is that while these solutions exist, are mature and proven, there is just not enough incentive to make them a reality."
Bingo. That's the real issue, and it always has been.
How is that? I see the process working like this:
* I sign up for an email account by sending a request with a username and a public key. No need to "trust" the key, because this is an identity creation process.
* My bank issues a smartcard when I create my account, which can be used to log in to their website.
Sure, there are problems -- key revocation and dealing with lost secret keys are probably the biggest. Those problems are shared by passwords. The point is to solve the more glaring problems we have with passwords, like the fact that you need to rely on many different websites to manage passwords securely, or the fact that humans are terrible at picking passwords.
"The tradgedy is that while these solutions exist, are mature and proven, there is just not enough incentive to make them a reality."
Bingo. That's the real issue, and it always has been.