PKI deserves to die

[ciphergoth]

In response http://www2.cio.com/research/security/edit/a05232002.html

From: Carl Ellison <cme@acm.org>
Subject: Re: PKI: Only Mostly Dead

Scott,

as far as I'm concerned PKI is not only dying, it deserves to die
much more quickly. That's because when it works, it still doesn't
work.

See the two papers to which I contributed at last month's PKI
Research Workshop http://www.cs.dartmouth.edu/~pki02/

Look especially at what we call the John Wilson problem. In a
nutshell, if you bind a name to a key, even if you do that always
accurately and even if your certificates interoperate with my
software, you have done nothing for me if there are more than about
1000 certified people in the world. That's because there are too
many John Wilsons. I can't tell them apart by name, when you lump
them all together into one big pool (the pool of all people the CA
certifies -- e.g., a big one like VeriSign -- or a little one like
Intel Corporation with only 70,000 and 8 John Wilsons). If I can't
tell them apart (and people can't -- for which we have definite
proof), then I am forced to make a guess as to which one is the right
one -- if the right one is represented at all -- and when I'm handed
a certificate saying that this S/MIME message or HTTPS page came from
John Wilson, I'm not given the list of all John Wilsons, so I don't
even get to compare them to see which one looks like the closest
match.

PKI deserves to die not because of vendor greed, although there is
plenty of that, but because the original idea was wrong. When you
bind a person's name to a public key you have not identified the key
in a way that is useful to me. That's because if I know the name of
the keyholder, I still don't know who the keyholder is.

- Carl

P.S. I strongly recommend your reading those papers in the preprints
available at the PKI Workshop web site.

+------------------------------------------------------------------+
|Carl M. Ellison         cme@acm.org     http://world.std.com/~cme |
|    PGP: 08FF BA05 599B 49D2  23C6 6FFD 36BA D342                 |
+--Officer, officer, arrest that man. He's whistling a dirty song.-+

Comments

[ciphergoth.livejournal.com]

GPG 1.07 supports the image extensions too.

Cool! Sadly Debian "potato" only comes with 1.0.6; now I have to decide whether to force an upgrade...

In some ways I think we're saying the same thing. People advertise PKI as a way of verifying someone's identity, but all it gives you is a way of verifying name and email address, neither of which are good for the purpose. Consider the problems involved in binding the pair ("Wechsler", wechsler@ukcycling.info) to a key; one is not your legal name, and the other is no longer your email address.

[djm4]

Ah. I've never thought of PKI as a means of verifying identity in and of itself - more a means of continuing to trust an already establised identity, or of being resonably sure that I'm talking to person X and only person X, even if I don't otherwise know who person X is.

So wechsler@ukcycling.info is no longer Wechsler. Well, that's OK, because the person who now owns that doesn't have Wechsler's private key, so suddenly e-mails coming from that address are unsigned, or signed with a different key, either of which might cause me to go 'Ah - I'm no longer sure that's the Wechsler I know'. Wechsler's private key is the associated with an e-mail address that's no longer valid for him, but as soon as he's told me what his new e-mail asddress is I can update my records. I still trust his public key itself, and can verify documents signed with it and encrypt documents that only he can read (even if I have to wait to find out where to send them).

[ciphergoth.livejournal.com]

Right, so what you're saying is, you trust a key directly, not an email address. That's Ellison's position. If you trust the key to be the Wechsler you know, you don't need any certificates to verify it. If you don't, a certificate binding it to an email address won't help you.

[djm4]

It helps me establish who the key is claiming to belong to, and who says so. In a lot of cases, this may be all the level of trust I need. If it's not, at least I have clues about where to look next.

If this agrees with Ellison, that's great, but the portion of his argument that you quoted looked like a big fat straw man to me. He says that one especially brain-dead method of identifying people uniquely - 'Forename Surname' - doesn't work. Well, who'd have thunk it, eh?

I don't see why this means that the whole concept of PKI is flawed. All it means is that people are trying to use it to do things it is not designed to do.