A mighty fortress is our PKI, Part II

Wed Jul 28 11:13:36 EDT 2010

On Wed, 28 Jul 2010 09:30:22 -0500 Nicolas Williams
<Nicolas.Williams at oracle.com> wrote:
> On Wed, Jul 28, 2010 at 10:05:22AM -0400, Perry E. Metzger wrote:
> > PKI was invented by Loren Kohnfelder for his bachelor's degree
> > thesis at MIT. It was certainly a fine undergraduate paper, but I
> > think we should forget about it, the way we forget about most
> > undergraduate papers.
> 
> PKI alone is certainly not the answer to all our problems.
> 
> Infrastructure

Let me interrupt here and say that when I refer to PKI, I mean the
Kohnfelder model which we have been following, which is the model of
very long lived "phone books" of hierarchically issued certificates
along with very long lived lists of revoked certificates, all
designed with an offline world in mind.

I have no objections to "infrastructure" -- bridges, the Internet,
and electrical transmission lines all seem like good ideas. However,
lets avoid using the term "Public Key Infrastructure" for things that
depart radically from the Kohnfelder and subsequent X.509 models.

> Infrastructure (whether of a pk variety or otherwise) and transitive
> trust probably have to be part of the answer for scalability
> reasons, even if transitive trust is a distasteful concept.

Well, it depends a lot on what kind of trust.

Let me remind everyone of one of my long-standing arguments.

Say that Goldman Sachs wants to send Morgan Stanley an order for a
billion dollars worth of bonds. Morgan Stanley wants to know that
Goldman sent the order, because the consequences of a mistake on a
transaction this large would be disastrous.

Should they trust Verisign's ExtraSuperHighValue certificate presented
by Goldman? No. Why? Because Verisign disclaims all effective
liability for the use of its certs. It is not a party to the
transaction being conducted. If it was actually insuring all
transactions conducted with the certificate, then Morgan could trust
them, because the counterparty who's credit would be at issue would no
longer be Goldman but Verisign. However, Verisign won't even pay out
if it turned out that they gave signed a Goldman cert and it was in
fact held by a scammer.

The problem with Certification Authorities is they certify
NOTHING. There can be no reliance on them, because they have no
liability of any sort in any transaction.

So, in the real world, Goldman and Morgan come up with ways of making
sure they trust each other's communications and credit lines. Even
when we're dealing with small transactions, like buying a book at a
book store with a credit card, if you trace it out, we're dealing with
nothing but a web of bilateral commercial relationships.

So, I have no trouble with various kinds of trust. What I have trouble
with is the sort of false trust that a CA implies. CAs certify nothing
in a real world business sense -- they are just toll collectors.

> However, we need to be able to build direct trust relationships,
> otherwise we'll just have a house of transitive trust cards.
> Again, think of the the SSH leap-of- faith and "SSL pinning"
> concepts, but don't constrain yourselves purely to pk technology.

I believe we may, in fact, be in violent agreement here.

Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com