Failure of PKI in messaging

Leichter, Jerry leichter_jerrold at
Wed Feb 14 10:19:20 EST 2007

On Tue, 13 Feb 2007, Anne & Lynn Wheeler wrote:
| ...part of the problem was that the PKI financial model is out of
| kilter with standard business practices. nominally a relying party has
| some sort of relationship with the certification authority (i.e. what
| they are relying on) and there is exchange of value between the two
| parties.
| In the standard PKI model, there frequently is absolutely no
| relationship between the relying party and the certifying agency. The
| "owner" of the digital certificate is paying the certifying agency
| ... not the relying party ... so there is typically no exchange of
| value between the certifying agency and the relying party ... and
| therefor the relying party has no foundation for actually relying on
| the certifying agency....
This is an excellent point - completely obvious once made (and I know
you've made it before, but for whatever reason, the inverted relation-
ship between certifier and signer/relying party never quite sank in
for me).

It's interesting to follow up on this idea, because it shows just how
profound the problem is.  Imagine starting a business that ran a PKI
and did business the old way:  You would charge someone *presenting*
an alleged certificate for an "OK".  The "OK" would, for the fee paid,
provide insurance against the possibility of fraud.  (Presumably, the
fee would be based on the size of the insured transaction and level
of experience and trust you have in the signing party.)  It's to
your advantage to have many parties whose signatures you vouch for,
since that's what brings you customers; so you probably don't charge
that side of the business - though it helps someone to have a "high
trust" signature, since their customers will like paying a lower
premium to do assured business with them, so you could charge on
that side in some cases.  But, unlike the case today, since your
own money is at stake if you vouch for someone untrustworthy, you
can't just go hand certs out to anyone who shows up at your door.

In the business-to-business case, things have worked like this (more
or less) for years.  This is pretty much what Dun and Bradstreet do,
for example (though they don't do the actual insurance part - they
rely on their own reputation to provide as much assurance as is needed
for typical transactions).  But can we even imagine a situation in
which Internet shoppers were willing to *pay* - even a nominal amount
- for assurance that the Amazon page they hit really was Amazon's?
There are at least two levels of established practice in the way:

	- Assurance services at the consumer level barely exist in
		the real world.  We rely mainly on various surface
		indicia - appearance, responsiveness, apparent age
		and stability, trademarks - that are reasonably good
		in the real world but basically useless on the Net
		We also rely on "reputation", which we almost always
		hear about for free.

	- Information on the Internet is expected to be free.  There
		are relatively few exceptions that have gained any
		traction, and they tend to be for "bigger" pieces of

This analysis indicates yet again why this is, and will likely remain,
an intractable problem.
							-- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list