Comments: PKI's mission: sell certs or die in the attempt!

Here's another area where I'm out of step with the cool security dudes. I think it makes a lot of sense for people to own and use public keys in their online activities. I fully agree that using user name and password to log in is stupid, and in my experience secureid is a pain to use.

PKI means different things to different people. To me, it means the necessary infrastructure (that's the I) to support the widespread use of public key (the PK) cryptography. From this perspective, there's nothing to be afraid of in PKI. The connotations most people have, that it means Verisign shaking you down for three hundred bucks a year for a cert, is far too narrow. PGP web of trust is a PKI. There are many other ways of setting up a PKI.

The main problem is that the narrow business interests are of course only looking for ways to proceed that are profitable. So we should look to hobbyists and open source groups to spread a real PKI. But largely because of the anti-PKI activism from the grass roots security commmunity, there are few efforts along these lines, and what there are don't have widespread support.

There is a whole world of cryptographic technology waiting to be developed and implemented. Credential systems, fancy kinds of signatures, new protocols; but all rely, at the bottom, on some form of public key cryptography. Without a widespread infrastructure for supporting PKC, these more advanced systems can't get off the ground.

I wish people would take off the blinders when thinking about PKI and see that there is more to it than the narrow business efforts of the past. Cryptographers in particular should support the use of PKC and the PKI which enables it. That is the only way forward for our field to achieve its potential in terms of bringing value to society.

Posted by Cypherpunk at December 9, 2004 06:44 PM

Bof,

only one reply to the comments made to this lament:

trusted devices

and open again is pandorra's box.

gr

Twan

Posted by Twan at December 9, 2004 06:55 PM

What is really sad is the amount of time and effort that went into legislating Certificate Authorities and the ability of States and Federal governments to see a chance to tax the dam thing before they even made a profit. Now the Certificate Authority laws will lay on the books for years until they decide they can enforce them or even understand the full scope of it. Yes another moustache cup law waitng to be dropped on the innocent.

Posted by Jimbo at December 9, 2004 07:56 PM

What does PKI refer to? Well, sure, as a bunch of initials it means the infrastructure behind PK. And it would be nice if that was a useful definition, because we could all get on and build them.

But, pragmatically, the "infrastructure" needs for a PGP style PKI are so lightweight, in comparison with the x.509 cousin, that one doubts that they are the same thing. This doesn't mean lightweight is weakling; far from it, and I can attest to the fact that a PGP style infrastructure is far stronger and far more complete than an x.509 infrastructure can dream of being (being able to do dual sigs makes a world of difference). But, it remains that they are two very different things, and therefore we need two words.

And, then, in the marketplace, when companies say PKI they mean one and only one thing. They mean the x.509 / CA / centralised hierarchical architecture thing that burst into flight then orbit in the 90s, only to fall like a meteor and burn up on re-entry. I have a PKI requirements doc on my desk right now. It literally admits no concept other than the x.509 centralised design.

So when it comes to definitions of the word, I feel it is something to shrug ones shoulders at. PKI is an x.509 / CA / hierarchical beast. PGP is something different. That's just me. I'll change my mind the day the consultants start selling PKIs with a choice of x.509 and WOT.

Cypherpunk, I believe you're totally correct in that the future is with the "open" side. But, the direction is not going to come from PKI (of either form) but from your own earlier comment that it is safe to say these things as a nym! Nyms are the future. Mark these words; another prediction that might get proven wrong ;-)

Posted by Iang at December 9, 2004 08:37 PM

If you look at Ellison & Schneier's paper Ten Risks of PKI, you'll see that many of the risks apply to any infrastructure for public keys. http://www.schneier.com/paper-pki-ft.txt

Risk #1: "Who do we trust, and for what?"

That's a big problem with the PGP web of trust, reputation systems, and other decentralized attempts to create a PKI. It's not just about CAs and X.509.

Risk #2: "Who is using my key?"

Who controls your key? How do you protect it? Again, a problem that goes beyond CAs.

Risk #3: "How secure is the verifying computer?"

A problem any time you're relying on someone else's signature, whether a CA, a PGP web of trust key signer, or just a digitally signed message or contract.

Risk #4: "Which John Robinson is he?"

Again a problem with any identity based key management system, not just X.509 CAs.

Etc., etc. This is a really bad paper (I saw you wrote a critique of it too) partially because it fails to distinguish between the commercial-CA-X.509 flavor of PKI, and the more general issues which arise with any attempt at wide scale use of public keys to do something practical. But it does show how there is confusion between the various uses of the term.

Posted by Cypherpunk at December 10, 2004 03:31 PM

It depends on the definition we agree on, and the assumptions we set for ourselves !

If you look at all four of those risks you will see that they all assume that there is a strong link between a key and a human. Something like "this key is owned by this human." Or it might be the other way around, sometimes I wonder.

If we don't assume this, then all four of those risks are non-risks. In fact, OpenPGP and its web of trust do *not* assume this; there is a UserId field which is totally open. Custom suggests an email format, but it's not slavishly followed.

If instead we look at x.509, as a format it assumes the identity. One person, one key. The CA assumes a key; one individual, one set of documents. As an approximation, we can assume that most identity based key management systems are based on x.509 and CAs. So if identity based key management systems are what you call PKIs, then sure, we can agree on that.

But the really interesting stuff is happening out there were keys are not pre-ordained as belonging one-for-one with humans. We can pretty much stab around the whole SSL browsing PKI and say that the reason it failed was "one person, one key." If the systems, implementors, CAs, analysts and investors hadn't been so fixated on that (and selling those one persons their one keys), we would have every browser with a cert and every mailer with several by now, and the net would be a whole lot safer.

Oh, and a lot more certs would have been sold, but that's of no interest.

Posted by Iang at December 10, 2004 07:36 PM

I don't know why people are determined to try to turn (decent) product markets into (failed) service markets. Selling CAs seems like it has fewer problems that selling certs, but they were determined to sell certs. Likewise, all the money in Wi-Fi is in the equipment, not the hotspot service providers, despite many headlines to the contrary.

BTW, Apple is integrating X.509 into OS X effectively for free. I'm not sure why; maybe because you can't sign email with Kerberos?

Posted by Wes Felter at December 13, 2004 07:39 PM

hi Wes,

I guess the reason to use x.509 anywhere is that there is a large installed base of mailers that can understand it; why not try and use them?

The reason for using x.509 for free should be self-evident. What I have yet to find a satisfactory answer to is why you would insist on not using them for free?

iang

Posted by Iang at December 14, 2004 09:33 AM
MT::App::Comments=HASH(0x1062850) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.