A mighty fortress is our PKI, Part II

Wed Jul 28 09:05:57 EDT 2010

On Wed, 28 Jul 2010 11:38:17 +0100 Ben Laurie <ben at links.org> wrote:
> On 28/07/2010 09:57, Peter Gutmann wrote:
> > In any case though the whole thing is really a moot point given
> > the sucking void that is revocation-handling, the Realtek
> > certificate was revoked on the 16th but one of my spies has
> > informed me that as of yesterday it was still regarded as valid
> > by Windows.  Previous experience with revoked certs has been that
> > they remain valid more or less indefinitely (which would be
> > really great if CAs offered something like domain-tasting for
> > certs, you could get as many free certs as you wanted).
> 
> Again, citing the failure to use revocation correctly right now
> does not tell us anything much about the possibility of using it
> correctly in the future.

The US Securities and Exchange Commission has long forced companies to
state, when selling advisory services, that "past performance is no
indicator of future performance".

However, I think that's pretty much clearly untrue in most
disciplines. Empirical reasoning is entirely about observing and
drawing conclusions based on what we observe. Virtually all of modern
science comes, in fact, from observing what happens in the real world
and extrapolating from it.

After a few decades of trying to get PKI to work, we have failed to do
so. At some point, one has to have very firm justifications for the
belief that these decades of experience should be dismissed as mere
experimental error.

In another message you say:
> The core problem appears to be a lack of will to fix the problems,
> not a lack of feasible technical solutions.

I'm unsure whether you are correct here, but I will point out that any
solution which can never be deployed *is*, in fact, infeasible, and
that if human beings cannot be convinced to use a particular solution
(which is one form of the "lack of will" problem), then we might as
well dismiss that solution.

Now, I've been saying "PKI can never be made to work" for something
like the last fifteen years. I was on a panel with Steve Kent at a
Usenix workshop long ago, where I expressed the opinion that PKI very
poorly models the actual legal and de facto relationships between
parties, and I think that experience has borne that out. We've watched
the rise and fall of substantial companies dedicated to trying to get
PKI sold into enterprises, and the best efforts that Certco and
Entrust and the like made were not enough. There is also considerable
evidence that many of the technologies PKI requires, like reliable
revocation, cannot be made to work, and whether that is because of a
"lack of will" or because of something deeper, the fact is that these
techniques have failed in practice over the course not of months or
years but of decades, and we cannot ignore that forever.

It is not always the case that a dead technology has failed because of
infeasibility or inapplicability. I'd say that a number of fine
technologies have failed for other reasons. However, at some point, it
becomes incumbent upon the proponents of a failed technology to
either demonstrate that it can be made to work in a clear and
convincing way, or to abandon it even if, on some level, they are
certain that it could be made to work if only someone would do it.

I think we are at or even past that point with PKI. The odor of
putrefaction is unmistakable.

-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com