certificates & the alternative view

Anne & Lynn Wheeler lynn at garlic.com
Thu Jun 12 13:14:33 EDT 2003 

>I think you have put your finger right on the problem.
>Certificates, https, and the entire PKI structure were designed
>for an accountless world, but the problem is accounts.

the other view ... is using a little information theory .... is that 
certificates are stale, static, read-only copy of information in the 
certificate authority's account record .... targeted for offline 
environments where the relying party has no access to the real 
authoritative agency responsible for the information.

one of the things from the '90s, in the transition from offline to the 
start of a pretty much ubiquitous online world was trying to come up with 
things to put into certificates to justify their price. One of the attempts 
was extreme overloading of the certificate with large amounts of identity 
and privacy information, and furthermore you convince the public that they 
should pay for the privilege of having huge amounts of their privacy 
information sprayed all over the world.

The fallback is to attempt to reduce as much as possible any information of 
actual value in a certificate and to not go around confusing identification 
with authentication. This was sort of the relying-party-only certificates 
from the financial community in the later part of the 90s .... don't put 
any information of any value what-so-ever in a certificate; just create 
these huge,  very large  bit patterns that were one hundred times larger 
than a typical payment transaction and require that these extremely large 
bit patterns had to be attached to every  payment transactions sent back to 
the financial institution (which already had the original copy of all the 
information). From this is was possible to demonstrate a PKI infrastructure 
where every certificate was compressed to zero bytes. The horrible payload 
penalty and information/privacy leakage problem was ultimately addressed 
with zero byte certificates.  They contained zero byte, stale, static, 
read-only copy of the information in the certificate authority's account 
record.
--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
  


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list