Failure of PKI in messaging ... addenda

Anne & Lynn Wheeler lynn at garlic.com
Tue Feb 13 11:41:27 EST 2007 

re:
http://www.garlic.com/~lynn/aadsm26.htm#32 Failure of PKI in messaging

another way of looking at the issue is somewhat alluded to in this blog post
http://www.garlic.com/~lynn/aadsm26.htm#1 Extended Validation - setting the minium liability, the CA trap, the market in browswer governance

somewhat contrasting SSL domain name certificate with association branded payment instruments.

the association logos also promote a feeling of comfort for people doing transactions ... but they have quite a bit of regulatory and policy standing behind those transactions for the benefit of the consumer ... something that you don't find in any of the ssl domain name certificate operations.

at least in some of the PKI publicity and hype ... the concept was conveyed that a relying party could base trust purely on a digital certificate ... that the existence of a digital certificate provided all the trust that anybody would ever need. however, there is a big gap in the level of recourse provided to a consumer using an association branded payment mechanism ... and the recourse provided 
to a consumer (relying party) by the existence of a digital certificate.

i would contend that basic fundamental asymmetric cryptography defined business process that allowed an individual to somewhat equate digitally signed electronic communication nearly equivalent to having face-to-face communication with an individual; aka it provided for authentication and integrity. there was no sense of "trust" ... the concept of trust was something that was associated with an individual or entity ... digitally signature somewhat put electronic communication on level playing field with face-to-face communication ... allowing it to be associated with a specific individual or entity. The issue of "trust" was separate from being able to depend on that equivalence.

this starts out purely as certificateless operation
http://www.garlic.com/~lynn/subpubkey.html#certless

or this email from 1981 discussing using public key for secure communication
http://www.garlic.com/~lynn/2006w.html#12 more secure communication over the network

various PKI related publicity and hype from the 90s basically attempted to equate 
digital certificates (added to an underlying public key operation) would actually
provide the basis for "trust" between two parties that had no previous interaction (aka this
is the letters of credit/introduction from the sailing ship days scenario). 

part of the issue was that there was frequently nothing that actually provided recourse to
the parties in the event that something didn't go quite as expected (which is present
in the association branded payment mechanisms). such publicity/hype may also account
for any confusion that ssl domain name certification ... while only the basis for the owner
of a domain name is likely also the operator of a webserver (addressed by that 
domain name) ... rather than actually the basis for a webserver that a person
thinks they are talking to is actually the webserver they are talking to.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list