public-key: the wrong model for email?

Anne & Lynn Wheeler lynn at
Wed Sep 15 20:54:11 EDT 2004

At 12:39 PM 9/15/2004, Ed Gerck wrote:
> > [1] Public-key cryptography gives the impression that email message 
> security can
> > be achieved quite simply. The public-key can be distributed at will, no 
> need for
> > secrecy, and anyone can receive private and secure messages. The same 
> procedure
> > being applied to each side, sender and receiver, both could immediately 
> engage
> > in private and secure communication.

there are (at least) 2-3 characteristics of various public key systems

1) the public key doesn't have to be kept confidential as part of the 

2) you don't need a unique key for every unique security &/or business domain

3) other parties can attest to any bindings between the public key and 
other characteristics

however, while the fact that public key secrecy isn't required (vis-a-vis 
secret keys) ... and possibly enables one or more of the mentioned 
characteristics, public key operation doesn't mandate all such 
characteristics be mandatory for the use of public keys.

PGP allows that a relying party vet a public key with the key owner and/or 
vet the key with one or more others (web-of-trust)

note that while public key alleviates the requirement that a key be 
distributed with secrecy ... it doesn't eliminate the requirement that the 
public key have some trust characteristic associated (i.e. secrecy will 
tend to include some trust, but elimination of secrecy doesn't eliminate 
the requirement for trust).

so an infrastructure analogy to physical mail for public key .... is that 
public key becomes the trusted address for the recipient. in the physical 
world ... to send some mail ... you need a trusted mailing address for the 
recipient ... you need to have acquired that address in some manner and 
furthermore have some trust that it is the correct address. so lets assume 
that some number of equivalent mechanisms exist for public keys. it so 
happens that the encryption of the contents with the public key and the 
addressing of the contents with that same public key .... has some 
associated trusted infrastructure that delivers the package to the correct 

lets say that instead of having personal zip-codes and personal cell-phone 
numbers (that you take with you regardless of the service and/or physical 
location)... that can reach you regardless of where you happen to be in the 
world ....  the "number" that can be guaranteed to reach you, also happens 
to have the characteristics of a public key.

so public key mapping to entity infrastructures take on similar 
characteristics as personal (physical) mailing addresses and/or personal 
cell-phone numbers ... and then you have trusted infrastructures (usps, 
telephone companies, gov. posts) that can be relied on to make the 
connection to the appropriate recipient .... which then approximates a
public key paradigm mapping to existing physical world paradigms.

in the current physical world infrastructure, the publication &/or 
distribution of addresses are relatively low-cost (&/or free) operations 
with the infrastructures making their real money off the delivery ... as 
opposed to the publication.

translated to the internet paradigm .... everybody has a public key (in 
much the same way that everybody can have a personal cellphone number that 
may reach them regardless of where they are in the world). the public key 
is registered in something like the domain name infrastructure which then 
is able to figure out how to find you in the world (in manner similar to 
how personal cellphone number can find you anywhere in the world).

it isn't necessary that public key paradigms have to be the wrong model for 
email .... it is that the various existing economic models for making money 
off of public key infrastructures may be inconsistent with normal expected 
business operations. however, there is nothing intrinsic to public keys 
that mandate they are tied to existing public key infrastructure economic 

Anne & Lynn Wheeler  

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list