From: Albert Levi: Saturday, July 01, 2000 10:04 AM

Please have a look at your wallet and see how many pieces of ID/cards you have. I have at least 20. And they are needed for different purposes. I cannot use my driver's license to make a payment and cannot use my credit card as a passport.

Not only is this argument by analogy, the connections are tenuous. I hold my credit cards and Keys physically in my hand. That is much different that having a bunch of random numbers that are too long to remember. Even so, I never carry more than 3-4, of >20, credit cards, nor do I carry all my keys. In fact, I try to reduce the number of each as much as possible, even if this means consolidating combinations/numbers/keys. Granted, this didn't connect with me either, until my users started complaining. In key management, there quickly comes a point where the management itself becomes a security risk.

Similarly a user can get several certificates for different applications. And this is necessary for authorization purposes. Although I aggree that it is not so easy to describe the fact of several cert necessity for SSL and PGP/PEM/S/MIME to a non-technical person, I believe that anyone can get the philosophy behind the analogic difference between the car key (to get to home - SSL) and the home key (to enter the home - PGP/PEM/...). You'd certainly want your kids enter home but not use your car.

I'm an empty-nester, my kids don't have access. You may explain it to them, but they will only grudgingly agree. Then only because they don't know any better and you don't give them a choice. You will lose them to the first one that gives them that choice. Users don't want to know the difference between SSL POP Auth and message content encryption. To them, it is all the same. Technically, there is no reason that you can't use the same key for both. Neither to they understand the difference between Webmail and POP email, after all, the content is the same. "why do I have to have three different certs to read the same email message?" is exactly what they asked me. To be honest, I couldn't answer that satisfactorily, because there was no non-ideological answer. Technically, X.509 would indeed give it to them, PGP wont.