ID "theft" -- so what?

Perry E. Metzger perry at piermont.com
Thu Jul 14 09:19:28 EDT 2005 

Ian Grigg <iang at systemics.com> writes:
>> It's 2005, PKI doesn't work, the horse is dead.
>
> He's not proposing PKI, but nymous accounts.  The
> account is the asset, the key is the owner;

Actually, I wasn't proposing that. I was just proposing that a private
key be the authenticator for payment card transactions, instead of the
[name, card number, expiration date, CVV2] tuple -- hardly a
revolutionary idea. You are right, though, that I do not propose that
any PK_I_ be involved here -- no need for certs at all for this
application.

I don't claim this is a remotely original idea, by the way. I'm just
flogging it again.

> But, thank the heavens that we now have reached
> the point where people can honestly say that PKI
> is the root cause of the problem.

"Root Cause of the Problem" isn't correct either. It is better to say
that PKI doesn't solve many of the hard problems we have, or, in some
cases, any problems -- it doesn't per se cause any problems, or at
least not many.

This is not a "new realization" -- this goes back a long way.

People were saying PKI was a bad idea a decade ago or more. A number
of the people here, including me, gave talks on that subject years
ago. I spoke against PKI during the debate I was invited to at the
Usenix Electronic Commerce Workshop in 1998 or so, and at many
opportunities before and since. Dan Geer has a pretty famous screed on
the subject. Peter Gutmann talks about the follies of X.509 so often
it is hard to keep up. I don't mean to single us out as visionaries --
we were just saying things lots of other people were also saying.

Honestly, where have you been?

> Can you now tell the browser people?

I can smell the rest of this discussion right now, Ian. You'll
misunderstand the constraints the browser people are under, and start
claiming SSL is bad (or unnecessary) about 20 seconds after that. I'm
not playing the game.

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list