ID "theft" -- so what?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Jul 17 12:01:17 EDT 2005
"James A. Donald" <jamesd at echeque.com> writes:
>The PKI that was designed to serve no very useful function other than make
>everyone in the world pay $100 a year to Verisign is dead.
>
>Yet the technology is potent, and the problems of identity and authenticity
>are severe. We shall, bye and bye, see reliance on public keys. Other
>things just don't work.
What makes you so sure of that? When I looked at this ("Plug-and-play PKI: A
PKI your Mother can Use", available from my home page), I found that by the
time you'd hidden enough of the PKI complexity to make it user-friendly, you
had something that was indistinguishable from a username-and-password
interface. Conversely, as soon as you start surfacing any of the PKI arcana,
it becomes unusable by the majority of users.
Currently the best way that I know of securing an SSL link is through the use
of TLS-PSK, which provides mutual authentication of client and server as part
of the TLS handshake without requiring any public-key technology at all. This
also happens to be the most usable security technology around - even your
mother can use it, and since the TLS handshake will fail in a very obvious
manner if she connects to a spoofed site, there's no need to rely on users
mastering PKI/PKC arcana for the security to work.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list