[Cryptography] How to De-Bollocks Cryptography?
Ralf Senderek
crypto at senderek.ie
Mon Aug 12 04:51:46 EDT 2024
On Sun, 11 Aug 2024, Phillip Hallam-Baker wrote:
> On Mon, Aug 5, 2024 at 11:03 PM Ralf Senderek <crypto at senderek.ie> wrote:
> [...]
> > "Everything should be made as simple as possible *but no simpler.*"
>
> Often times you cannot eliminate the complexity, you just shift it about.
> Ignoring revocation makes PKI a lot simpler but means your disaster
> recovery processes will be a lot more complex.
>
> The lack of consideration for private key management is a major
> shortcoming in traditional PKIs. Of course it is simplest to assume the
> private keys magically provision themselves and the public key credentials
> are properly provisioned.
If the use of public keys is part of the picture, this is a good example
of a system that is too simple. We don't want that, because of a lack of
essential functionality. But what we also don't want is a system that
conveniently manages the user's private keys in the cloud, because of the
huge attack surface. So a good solution would be as simple as possible
(to minimize the attack surface), but no simpler (to ensure essential
functionality).
-ralf
More information about the cryptography
mailing list