ID "theft" -- so what?

Aram Perez aramperez at mac.com
Thu Jul 14 10:45:17 EDT 2005 

<RANT-PET_PEEVE>Why do cryptography folks equate PKI with  
certificates and CAs? This fallacy is a major "root cause" of the  
problem IHO. Why was the term "PKI" invented in the  late 70s/early  
80s (Kohnfelder's thesis?)?. Before the invention of asymmetric  
cryptography, didn't those people who used symmetric cryptography  
need an SKI (secret key infrastructure) to manage keys? But no one  
uses the term SKI or talks about how to manage secret keys (a very  
hard problem). Anytime you use any type of cryptography, you need an  
"infrastructure" (<http://en.wikipedia.org/wiki/Infrastructure>) to  
manage your keys, whether secret or public. There are at least two  
public key infrastructures that do NOT require CAs: PGP and SPKI. But  
like in so many real life cases, the best technology does not always  
win and we are stuck with the system that garnered the most business/ 
economic support.</RANT-PET_PEEVE>

Respectfully,
Aram Perez

On Jul 14, 2005, at 6:19 AM, Perry E. Metzger wrote:

> Ian Grigg <iang at systemics.com> writes:
>
>>> It's 2005, PKI doesn't work, the horse is dead.
>>
>> He's not proposing PKI, but nymous accounts.  The
>> account is the asset, the key is the owner;
>
> Actually, I wasn't proposing that. I was just proposing that a private
> key be the authenticator for payment card transactions, instead of the
> [name, card number, expiration date, CVV2] tuple -- hardly a
> revolutionary idea. You are right, though, that I do not propose that
> any PK_I_ be involved here -- no need for certs at all for this
> application.
>
> I don't claim this is a remotely original idea, by the way. I'm just
> flogging it again.
>
>> But, thank the heavens that we now have reached
>> the point where people can honestly say that PKI
>> is the root cause of the problem.
>
> "Root Cause of the Problem" isn't correct either. It is better to say
> that PKI doesn't solve many of the hard problems we have, or, in some
> cases, any problems -- it doesn't per se cause any problems, or at
> least not many.
>
> This is not a "new realization" -- this goes back a long way.
>
> People were saying PKI was a bad idea a decade ago or more. A number
> of the people here, including me, gave talks on that subject years
> ago. I spoke against PKI during the debate I was invited to at the
> Usenix Electronic Commerce Workshop in 1998 or so, and at many
> opportunities before and since. Dan Geer has a pretty famous screed on
> the subject. Peter Gutmann talks about the follies of X.509 so often
> it is hard to keep up. I don't mean to single us out as visionaries --
> we were just saying things lots of other people were also saying.
>
> Honestly, where have you been?
>
>> Can you now tell the browser people?
>
> I can smell the rest of this discussion right now, Ian. You'll
> misunderstand the constraints the browser people are under, and start
> claiming SSL is bad (or unnecessary) about 20 seconds after that. I'm
> not playing the game.
>
> Perry
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to  
> majordomo at metzdowd.com
>


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list