PKI deserves to die
Jun. 11th, 2002 11:43 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
ciphergothIn response http://www2.cio.com/research/security/edit/a05232002.html
From: Carl Ellison <cme@acm.org>
Subject: Re: PKI: Only Mostly Dead
Scott,
as far as I'm concerned PKI is not only dying, it deserves to die
much more quickly. That's because when it works, it still doesn't
work.
See the two papers to which I contributed at last month's PKI
Research Workshop http://www.cs.dartmouth.edu/~pki02/
Look especially at what we call the John Wilson problem. In a
nutshell, if you bind a name to a key, even if you do that always
accurately and even if your certificates interoperate with my
software, you have done nothing for me if there are more than about
1000 certified people in the world. That's because there are too
many John Wilsons. I can't tell them apart by name, when you lump
them all together into one big pool (the pool of all people the CA
certifies -- e.g., a big one like VeriSign -- or a little one like
Intel Corporation with only 70,000 and 8 John Wilsons). If I can't
tell them apart (and people can't -- for which we have definite
proof), then I am forced to make a guess as to which one is the right
one -- if the right one is represented at all -- and when I'm handed
a certificate saying that this S/MIME message or HTTPS page came from
John Wilson, I'm not given the list of all John Wilsons, so I don't
even get to compare them to see which one looks like the closest
match.
PKI deserves to die not because of vendor greed, although there is
plenty of that, but because the original idea was wrong. When you
bind a person's name to a public key you have not identified the key
in a way that is useful to me. That's because if I know the name of
the keyholder, I still don't know who the keyholder is.
- Carl
P.S. I strongly recommend your reading those papers in the preprints
available at the PKI Workshop web site.+------------------------------------------------------------------+ |Carl M. Ellison cme@acm.org http://world.std.com/~cme | | PGP: 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 | +--Officer, officer, arrest that man. He's whistling a dirty song.-+
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
Re: "PKI needs more than a name"
Date: 2002-06-11 04:09 am (UTC)I'm sure I'm missing something here, I just don't know what.
Re: "PKI needs more than a name"
Date: 2002-06-11 04:56 am (UTC)You may as well ask how I know you're you when I meet you.
That's not exactly a meaningful question; I'm me by definition when you meet me. The question is rather whether you trust me to know the things you're emailing me about, which is something you establish by non-cryptographic means.
Sure, if I was a secret agent, I could mount a sort of "man-in-the-middle" attack by finding the sort of person I think you would trust and modelling myself on them before meeting you. But there's no cryptographic defence against such an attack, and it's very expensive to mount.
no subject
Date: 2002-06-11 05:22 am (UTC)GPG 1.07 supports the image extensions too. My key at http://www.fromtheshadows.com/mich/gpg3D942CC8_px.asc has the pic in it.
But I "know" many people online I've never seen or met. I know them by their socio-ethical positions, their hobbies, interests, phrase structure - intangibles that can be hard to quantify. But once I've conversed with them for a while, the one tangible identifier I'll tend to know is their email address. Yes, they could use a fake one, but any exchange of mails creates a "challenge-response" sequence that proves that this person is the entity (or an entity) being this email address.
My question was somewhat whimsical but not entirely without meaning, perhaps it would have been clearer to say "when I meet someone who appears to be you"; I know *you* well enough that your appearance has registered in my memory well enough for me to compare the image I see at that point (under whatever gothery applies) to that stored with a high degree of confidence. But there are many people I'd half-recognise, and possibly use voice and speech patterns to confirm this recognition.
People who've last met me 3 years ago (hi
I'm not quite sure where I was going with this, I think I was saying "neither email address nor appearance are the same as 'identity'". I really need more inspiring work and less stress to keep my mind running at a higher level.
no subject
Date: 2002-06-11 05:31 am (UTC)no subject
Date: 2002-06-11 06:02 am (UTC)Time to update my sig, anyway.
If, as is then possible with G/PG/P, you *can* tie a key to an identity (even if it takes time) - and have a comparetively open and interoperable standard, I think that the blanket statement 'PKI needs to die' is incorrect. It would seem that PKI *can* work, with a little help (by people establishing sufficiently unique and non-copiable identities as a factor of the key).
Partial, vendor-driven PKI solutions with repeated/copyable identities, are evidently a very different matter.
no subject
Date: 2002-06-11 06:11 am (UTC)If I'd whisked away control of one of your e-mail addresses I could easily add a photo to the signed block and thus potentially make people more likely to think I was you than you were.
IYSWIM
no subject
Date: 2002-06-11 06:23 am (UTC)For one thing, you can't arbitrarily change your appearance, whereas I could if I chose change my name to Wechsler or Giolla Decair and then the only way in which your claim to the name would trump mine would be priority, which doesn't work for John Wilson.
Separated at birth? Erm, I think not...
Date: 2002-06-11 08:02 am (UTC)Hrm, yes. So far today, while following this discussion thread, I've had three people walk past me at work, stop, and ask me "Is that you?" (referring to your journal photo) :)
Regards,
Denny
PS: Here's a larger version of the photo I use here (http://www.concretecow.com/denny/graphics/denny.gif) and another pic of me (http://www.concretecow.com/denny/graphics/denny2000.jpg). I don't see the resemblance myself, but then I'm used to associating with people who have long dark hair and tend to wear black, I don't regard those as useful identifying characteristics :)
Re: Separated at birth? Erm, I think not...
Date: 2002-06-11 08:26 am (UTC)That's weird. Other than both being cute with fantastic hair, I can't see much resemblence.
*confusedelise*
Re: Separated at birth? Erm, I think not...
Date: 2002-06-11 08:28 am (UTC)Re: Separated at birth? Erm, I think not...
Date: 2002-06-11 08:30 am (UTC)~D.
PS: *blush*
Covering several points
Date: 2002-06-11 04:49 pm (UTC)that would cost per key? If you're thinking of a PGP style web of trust then
it'll fall over pretty quickly either by deliberate misuse or just because
people are crap and will say they trust things they shouldn't.
Photo's aren't much use for idenitfying people you've never met, and are of
even less use for identifying machines.
As far as trusting the "key" goes why would I want to? A key that isn't tied
to some other information isn't the slightest bit of good. I need to know that
a given key is associated with the machine I'm connecting to, the e-mail
address I'm communicating with, or the user I'm authenticating. So unless I
associate thet key with some other data it's useless.
If you give me a key and say it's your key, then yes I can trust it directly
and likewise for your server. However I'd want to make a note of that, and
would then might want to pass on that note when someone who asks me for your
key. They'd of course then have to trust me when I say ciphergoth gave me
this key and it's really his. They'd probably make a note of it in fact. Of
course having been given the key by me with or without an attached note, they
should verify the finger print directly with you in the same way they should
now. If I was using the key to exchange e-mails with you I'd probably note
your e-mail address against it and oops back to square one.
To be useful you need a fixed relationship between the key/finger print and
some pointer to a unique idenitifier, and unless I've met you and until image
recognition software is a lot better a photo isn't it.
Also I'd have to refute your statement about the chances of a fingerprint/key
being unique, that is only true for a given implementation of the PK part of
PKI, but if you get the I part right the uniqueness or otherwise of the keys
themselves really doesn't matter as much, as in most infrastructures
the signed data normally contains several bits of unique data.
The problem with PKI isn't the cryptography, it's the infrastructure part.
Maintaining trust, distributing keys, and revoking them if the data they are
associated with changes. Doing this within limited communities, such as
within a company/* or a community small enough that photo's are viable */
is fairly easy, but to date no one has made it scale well. Changing which
bit of data you trust doesn't move you any closer to resolving the problem
Re: Covering several points
Date: 2002-06-12 02:01 am (UTC)Why does it make more sense to trust a domain or an email address than to trust a key? They are more fickle.
Also I'd have to refute your statement about the chances of a fingerprint/key being unique, that is only true for a given implementation of the PK part of PKI
Er, eh? If the probability that two parties might have the same public key is non-negligible, the crypto is weak. If the probability that two parties with distinct public keys might have the same key fingerprint is non-negligible, the crypto is weak. Only broken systems can have fingerprint collisions. I'm somewhat familiar with all the PK signature algorithms in widespread use, but what I'm saying here is provably true of all PK systems and all hash functions. If you really want to refute this point, please at least provide a counterexample.
no subject
Date: 2002-06-11 05:46 am (UTC)Cool! Sadly Debian "potato" only comes with 1.0.6; now I have to decide whether to force an upgrade...
In some ways I think we're saying the same thing. People advertise PKI as a way of verifying someone's identity, but all it gives you is a way of verifying name and email address, neither of which are good for the purpose. Consider the problems involved in binding the pair ("Wechsler", wechsler@ukcycling.info) to a key; one is not your legal name, and the other is no longer your email address.
no subject
Date: 2002-06-11 05:59 am (UTC)So wechsler@ukcycling.info is no longer Wechsler. Well, that's OK, because the person who now owns that doesn't have Wechsler's private key, so suddenly e-mails coming from that address are unsigned, or signed with a different key, either of which might cause me to go 'Ah - I'm no longer sure that's the Wechsler I know'. Wechsler's private key is the associated with an e-mail address that's no longer valid for him, but as soon as he's told me what his new e-mail asddress is I can update my records. I still trust his public key itself, and can verify documents signed with it and encrypt documents that only he can read (even if I have to wait to find out where to send them).
no subject
Date: 2002-06-11 06:08 am (UTC)no subject
Date: 2002-06-11 06:27 am (UTC)If this agrees with Ellison, that's great, but the portion of his argument that you quoted looked like a big fat straw man to me. He says that one especially brain-dead method of identifying people uniquely - 'Forename Surname' - doesn't work. Well, who'd have thunk it, eh?
I don't see why this means that the whole concept of PKI is flawed. All it means is that people are trying to use it to do things it is not designed to do.