For photo's who would count as a trusted third party, and how much do you think that would cost per key? If you're thinking of a PGP style web of trust then it'll fall over pretty quickly either by deliberate misuse or just because people are crap and will say they trust things they shouldn't.
Photo's aren't much use for idenitfying people you've never met, and are of even less use for identifying machines.
As far as trusting the "key" goes why would I want to? A key that isn't tied to some other information isn't the slightest bit of good. I need to know that a given key is associated with the machine I'm connecting to, the e-mail address I'm communicating with, or the user I'm authenticating. So unless I associate thet key with some other data it's useless.
If you give me a key and say it's your key, then yes I can trust it directly and likewise for your server. However I'd want to make a note of that, and would then might want to pass on that note when someone who asks me for your key. They'd of course then have to trust me when I say ciphergoth gave me this key and it's really his. They'd probably make a note of it in fact. Of course having been given the key by me with or without an attached note, they should verify the finger print directly with you in the same way they should now. If I was using the key to exchange e-mails with you I'd probably note your e-mail address against it and oops back to square one.
To be useful you need a fixed relationship between the key/finger print and some pointer to a unique idenitifier, and unless I've met you and until image recognition software is a lot better a photo isn't it.
Also I'd have to refute your statement about the chances of a fingerprint/key being unique, that is only true for a given implementation of the PK part of PKI, but if you get the I part right the uniqueness or otherwise of the keys themselves really doesn't matter as much, as in most infrastructures the signed data normally contains several bits of unique data.
The problem with PKI isn't the cryptography, it's the infrastructure part. Maintaining trust, distributing keys, and revoking them if the data they are associated with changes. Doing this within limited communities, such as within a company/* or a community small enough that photo's are viable */ is fairly easy, but to date no one has made it scale well. Changing which bit of data you trust doesn't move you any closer to resolving the problem
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
Covering several points
Date: 2002-06-11 04:49 pm (UTC)that would cost per key? If you're thinking of a PGP style web of trust then
it'll fall over pretty quickly either by deliberate misuse or just because
people are crap and will say they trust things they shouldn't.
Photo's aren't much use for idenitfying people you've never met, and are of
even less use for identifying machines.
As far as trusting the "key" goes why would I want to? A key that isn't tied
to some other information isn't the slightest bit of good. I need to know that
a given key is associated with the machine I'm connecting to, the e-mail
address I'm communicating with, or the user I'm authenticating. So unless I
associate thet key with some other data it's useless.
If you give me a key and say it's your key, then yes I can trust it directly
and likewise for your server. However I'd want to make a note of that, and
would then might want to pass on that note when someone who asks me for your
key. They'd of course then have to trust me when I say ciphergoth gave me
this key and it's really his. They'd probably make a note of it in fact. Of
course having been given the key by me with or without an attached note, they
should verify the finger print directly with you in the same way they should
now. If I was using the key to exchange e-mails with you I'd probably note
your e-mail address against it and oops back to square one.
To be useful you need a fixed relationship between the key/finger print and
some pointer to a unique idenitifier, and unless I've met you and until image
recognition software is a lot better a photo isn't it.
Also I'd have to refute your statement about the chances of a fingerprint/key
being unique, that is only true for a given implementation of the PK part of
PKI, but if you get the I part right the uniqueness or otherwise of the keys
themselves really doesn't matter as much, as in most infrastructures
the signed data normally contains several bits of unique data.
The problem with PKI isn't the cryptography, it's the infrastructure part.
Maintaining trust, distributing keys, and revoking them if the data they are
associated with changes. Doing this within limited communities, such as
within a company/* or a community small enough that photo's are viable */
is fairly easy, but to date no one has made it scale well. Changing which
bit of data you trust doesn't move you any closer to resolving the problem