http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html
Public Key Infrastructure: An Artifact Ill-Fitted to the Needs of the Information Society
Abstract
It has been conventional wisdom that, for e-commerce to fulfill its potential, each party to a transaction must be confident in the identity of the others.
This is the law for commerce, except for cash transactions of non-controlled goods. Firearm sales usually require proof of identity (at least) even for a cash transaction.
Digital signature technology, based on public key cryptography, has been claimed as the means whereby this can be achieved.
No. The only thing claimed in digital signature technology is that a message was signed by a key which has a strong binding to an identifier: Section 11.2 of X.509v3 Management of certificates states that the certificate allows an association between a name called unique distinguished name, or DN for the user, and the users public-key: A certificate associates the public key and unique distinguished name of the user it describes. However, the same user can have different DNs in different CAs, or can have the same DN in different CAs even if the user is not the first to use it in any of the CAs. So, nowhere in X.509 or in PKIX (which stands for PKI with X.509) is 'claimed' that digital certificates provide proof of identity. This is a serious mistake in this paper, which is however a quite common misconception (unfortunately fueled by CAs, sometimes). [see "Overview of Certification Systems" at http://www.mcg.org.br/certover.pdf -- originally published in 1997 and downloaded more than 200,000 or that I care to count; mirrored at http://www.thebell.net/papers/certover.pdf and elsewhere]. BTW, this is also Bruce Schneier's unfortunate mistake, in his latest newsletter. And a digital certificate is certainly less of a seal than of a signature because a digital signature is not bound at all to the document but to the contents of the document. Even if a document has its contents erased (chemically, or with lasers or otherwise), the seal remains intact whereas the digital signature would cease to work.
Digital signatures do little, however, unless a substantial infrastructure is in place to provide a basis for believing that the signature means something of significance to the relying party.
Wrong. Let's repeat -- if a PKI does not exist, then all digital signatures work without a PKI and the statement above is wrong. If a PKI exists, the whole paper is moot. A correct statement would be to say that PKIs do exist in domains of trust (which domains can even extend to the whole world, so they are not necessarily "small" in the geographic sense) and that in each domain digital certificates work fine. This applies not only to X.509 or PKIX but also to PGP.
Conventional, hierarchical PKI, built around the ISO standard X.509, has been, and will continue to be, a substantial failure.
;-) It is a good business, though.
This paper examines that form of PKI architecture, and concludes that it is a very poor fit to the real needs of cyberspace participants. The reasons are its inherently hierarchical and authoritarian
:-) Maybe a day will come that a certificate will order me around, but this may be too far in the future to be of any concern
nature, the unreasonable presumptions it makes about the security of private keys, a range of other technical defects, confusions about what it is that a certificate actually authenticates, and its inherent privacy-invasiveness. Alternatives are identified.
All this is a deja-vu of other papers, including not only my own "Overview of Certification Systems" of 1997, with a lot of added mistakes. Cheers, Ed Gerck