PKI: Only Mostly Dead

R. A. Hettinga rah at shipwright.com
Wed May 29 10:37:35 EDT 2002 

--- begin forwarded text


Status:  U
Date: Wed, 29 May 2002 00:57:06 -0700
To: "R. A. Hettinga" <rah at shipwright.com>
From: Carl Ellison <cme at acm.org>
Subject: Re: PKI: Only Mostly Dead
Cc: cme at acm.org

Here's my message to the author of that article..

 - Carl

===========================================================

Scott,

	as far as I'm concerned PKI is not only dying, it deserves to die
much more quickly.  That's because when it works, it still doesn't
work.

	See the two papers to which I contributed at last month's PKI
Research Workshop http://www.cs.dartmouth.edu/~pki02/

	Look especially at what we call the John Wilson problem.  In a
nutshell, if you bind a name to a key, even if you do that always
accurately and even if your certificates interoperate with my
software, you have done nothing for me if there are more than about
1000 certified people in the world.  That's because there are too
many John Wilsons.  I can't tell them apart by name, when you lump
them all together into one big pool (the pool of all people the CA
certifies -- e.g., a big one like VeriSign -- or a little one like
Intel Corporation with only 70,000 and 8 John Wilsons).  If I can't
tell them apart (and people can't -- for which we have definite
proof), then I am forced to make a guess as to which one is the right
one -- if the right one is represented at all -- and when I'm handed
a certificate saying that this S/MIME message or HTTPS page came from
John Wilson, I'm not given the list of all John Wilsons, so I don't
even get to compare them to see which one looks like the closest
match.

	PKI deserves to die not because of vendor greed, although there is
plenty of that, but because the original idea was wrong.  When you
bind a person's name to a public key you have not identified the key
in a way that is useful to me.  That's because if I know the name of
the keyholder, I still don't know who the keyholder is.

 - Carl

P.S.  I strongly recommend your reading those papers in the preprints
available at the PKI Workshop web site.


+------------------------------------------------------------------+
|Carl M. Ellison         cme at acm.org     http://world.std.com/~cme |
|    PGP: 08FF BA05 599B 49D2  23C6 6FFD 36BA D342                 |
+--Officer, officer, arrest that man. He's whistling a dirty song.-+

============================================



--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list