I thought I would post this to try and spur some discussion. It is my reply to DS's bid for the security of centralized authority in key certification. In article <strnlghtCpzCqo.Jzr@netcom.com>, David Sternlight <david@sternlight.com> wrote:
In article <Cpz2HA.HAG.3@cs.cmu.edu>, Rujith S DeSilva <rudis+@cs.cmu.edu> wrote:
Mr. Sternlight said that RIPEM can have signed messages in which the authenticity of the public-key can be assured in the same message, and that PGP cannot do so.
Mr. Repenning's `one-word reply' was a PGP signed message in which the authenticity of the public-key was assured in the same message.
Nope. His message simply provided his public key without any authentication other than those he got to sign it. Since those are themselves not authenticated except by the few who trust them, his public key is basically unauthenticated. What he DID do is prove that the message was authenticated with that public key. So what?
Ripem provides a certificate in which a known Certification Authority (in most cases RSADSI--eventually the Internet authorities themselves--vouches for the sender's public key and one knows what standards have been applied to prove identity. That public key is used to sign the message. Thus the person is matched to his key and certified by a high-level-of-trust standard certifier. That key then is used to authenticate the message.
Putting it another way, I can't get an RSA Certificate without passing a number of tests of my identity--for the Unaffiliated User Heirarchy that involves proving to a Notary Public I'm me, with 3 pieces of ID including a photo ID, and making that assertion under penalty of perjury.
Thus the chances are pretty good I'm me and the key is mine.
I dispute this. It is a simple matter to circumvent this requirement. If you would like to find three or four people on any given weekend who have the capacity to obtain a "trusted" certification in another name, or any name they wish, I suggest you try a college bar in Georgetown, or any other college area for that matter. Even passports are subject to sophisticated and fraudulant application. Your blind trust in the ability of perjury to deter is misplaced, and I might add, typical of your legal process way of approaching problems. All a centralized authority really accomplishes is to put a cap and a floor on the threshold to accept a given key as "valid" or that said keyholder's name really is "Bob Dwyer." PGP claims no such authority. PGP merely says: This is who has certified and vouched for the ownership of this key. Take my key signing policies. I will sign anothers key in two instances. 1> If a physical exchange of key materials is made by the key holder, and if that owner can prove access to the secret key. (Signed with my low security key) 2> If I personally know the keyholder and am aquainted in a context outside of the Internet, and the above criteria can be satisfied. (Signed with my highsecurity key) Which will you assert is the more reliable? A central authority that has never seen or heard of said applicant before? Or an authority who has known said applicant for months or even years outside of the internet, and in a personal capacity? (My method #2) Until every man, woman, and teen has a smart national ID card based on fingerprints or retina scan or DNA sampling, centralized authority is really a limiter, and in many cases a deceptive appearance of "secure" certification. (I might add that these methods are unacceptable to me for other reasons). In fact, should you be willing to wager a sufficant amount, and assure my non-prosecution for perjury, I would be pleased to demonstrate the ability to circumvent the centralized procedure in whatever reasonable protocol you would like. Provided I have an individual who I trust to sign keys only of those he knows, the only way to circumvent my PGP authentication requirements is to physically intercept the secret key and break the passphrase, or to resort to rubber hose cryptoanalysis. A tactic that is likely to cause key revocation in any event.
With PGP one makes up a key, finds someone or other to sign it, and unless the signers are both known and trusted by every reader, one has nothing. RSA IS known to every reader and their safeguards are published.
So what you really have is the potential for untrusted signatures to be given in PGP. So? How is this a limiter to the user who is careful enough to screen the keys properly? A centralized key signor authority is merely laziness. It is a method forwarded by those who are too sloth to take security in their own hands and wish to have it instead provided for them. This is why PGP is often criticized: Users are simply too lazy to look out for themselves. The answer is to limit everyone. Typical American policy, shoot for the average every time. You don't need to learn how to drive, we'll just make the speed limit safe for any idiot. You don't need to know how to brake, we'll just invent ABS. You don't need to take responsibility for your own security, we'll just invent a mediocre standard to do it for you.
Until PGP has some trusted official signers with high security certification device protection and identity safeguards, the level of authentication is its weakest element.
No, until users pay more attention to what really is a "high security certification." authentication is its weakest element FOR THOSE USERS. When users really take extensive steps to certify, a certification is MORE secure than a centralized authority. I'm going to trust my million dollar transaction to a trusted friends transaction way before I trust what amounts to the Department of Motor Vehicles' assurance of identity.
By the way, in his example he did it wrong. First public key, then signature or the poor reader has to invoke PGP twice.
And this is a good clue perhaps on his signing procedures and caution in methodology.
David
-uni- (Dark) -- 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig!