PKI deserves to die

[ciphergoth]

In response http://www2.cio.com/research/security/edit/a05232002.html

From: Carl Ellison <cme@acm.org>
Subject: Re: PKI: Only Mostly Dead

Scott,

as far as I'm concerned PKI is not only dying, it deserves to die
much more quickly. That's because when it works, it still doesn't
work.

See the two papers to which I contributed at last month's PKI
Research Workshop http://www.cs.dartmouth.edu/~pki02/

Look especially at what we call the John Wilson problem. In a
nutshell, if you bind a name to a key, even if you do that always
accurately and even if your certificates interoperate with my
software, you have done nothing for me if there are more than about
1000 certified people in the world. That's because there are too
many John Wilsons. I can't tell them apart by name, when you lump
them all together into one big pool (the pool of all people the CA
certifies -- e.g., a big one like VeriSign -- or a little one like
Intel Corporation with only 70,000 and 8 John Wilsons). If I can't
tell them apart (and people can't -- for which we have definite
proof), then I am forced to make a guess as to which one is the right
one -- if the right one is represented at all -- and when I'm handed
a certificate saying that this S/MIME message or HTTPS page came from
John Wilson, I'm not given the list of all John Wilsons, so I don't
even get to compare them to see which one looks like the closest
match.

PKI deserves to die not because of vendor greed, although there is
plenty of that, but because the original idea was wrong. When you
bind a person's name to a public key you have not identified the key
in a way that is useful to me. That's because if I know the name of
the keyholder, I still don't know who the keyholder is.

- Carl

P.S. I strongly recommend your reading those papers in the preprints
available at the PKI Workshop web site.

+------------------------------------------------------------------+
|Carl M. Ellison         cme@acm.org     http://world.std.com/~cme |
|    PGP: 08FF BA05 599B 49D2  23C6 6FFD 36BA D342                 |
+--Officer, officer, arrest that man. He's whistling a dirty song.-+

Comments

Re: "PKI needs more than a name"

[djm4]

Just to reply to my own point - I think that one thing that bothers me is that it's perfectly valid for two public keys to have the same fingerprint. The only thing it screws up is the unique index in a database that has nothing directly to do with PGP itself. There's no immediate requirement for one or other person using the keys to change.

Whereas if two people get accidentally allocated the same e-mail address, then that actually buggers up mail delivery on the Internet a bit. E-mail delivery for one or both people will, in principle, be broken until one or other of them gives up the e-mail address.

I don't like the idea of creating a system that by implication invalidates something that would have been valid before (two keys with identical fingerprints). I'd far rather base it around something that's aleady invalid (fingerprint and e-mail pairs that are identical).

Did that make any sort of sense?

Re: "PKI needs more than a name"

[ciphergoth.livejournal.com]

I'll have to explain this to you in the pub sometime. I see why you feel this way, but you're not thinking like a cryptographer...

Re: "PKI needs more than a name"

[djm4]

Well, no, I wouldn't be, would I? ;-)

Re: "PKI needs more than a name"

[ukfetish.livejournal.com]

How much does one have to drink before one starts to think like a cryptographer then? ;)

~D.