X.509 / PKI, PGP, and IBE Secure Email Technologies

[Anne & Lynn Wheeler]

Ed Gerck wrote:
 > PGP is public-key email without PKI. So is IBE. And yet neither of
them has
> all the identical, same basic components that PKI also needs. Now, when you
> look at the paper on email security at
> http://email-security.net/papers/pki-pgp-ibe.htm
> you see that the issue of what components PKI needs (or not) is not
> relevant to the analysis.

usually when you are doing baseline ... you start with the simplest,
evaluate that and then incrementally add complexity. in that sense
PGP is much closer to the simplest baseline ... and PKI becomes added
complexity ... inverting you classification; email PKI is PGP with
digital certificates added.

you then could add various layers of public key operation where the
relying parties have direct access to the information in one way or
another and therefor don't require stale, static, armored cached copies
(digital certificate) of the real information.

then you can go thru numerous layers of PKI ... are the relying parties
and the digital certificate creators part of the same business
organizations ... and therefor require neither contractual relationship
and/or CPS as a substitute for contractual relationship.

then add trusted third party certification authority PKI ... where the
relying parties and the certification authorities have direction
contractual relationship and thefore don't require CPS as a substitute
for contractual relationship.

it is when you get to trusted third party certification authority PKI
... where the relying parties and the ttp/ca are part of totally
different business operations and have no contractual relationship that
you then get into the issue of how does a relying party actually know
than it should be trusting a ttp/ca.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com