CDR: Public Key Infrastructure: An Artifact...
http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html
Public Key Infrastructure: An Artifact Ill-Fitted to the Needs of the
Information Society
Abstract
It has been conventional wisdom that, for e-commerce to fulfill its
potential, each party to a transaction must be confident in the identity of
the others. Digital signature technology, based on public key cryptography,
has been claimed as the means whereby this can be achieved. Digital
signatures do little, however, unless a substantial infrastructure is in
place to provide a basis for believing that the signature means something
of significance to the relying party.
Conventional, hierarchical PKI, built around the ISO standard X.509, has
been, and will continue to be, a substantial failure. This paper examines
that form of PKI architecture, and concludes that it is a very poor fit to
the real needs of cyberspace participants. The reasons are its inherently
hierarchical and authoritarian nature, the unreasonable presumptions it
makes about the security of private keys, a range of other technical
defects, confusions about what it is that a certificate actually
authenticates, and its inherent privacy-invasiveness. Alternatives are
identified.
--
-----------------
R. A. Hettinga
On Sat, 11 Nov 2000, R. A. Hettinga wrote:
Conventional, hierarchical PKI, built around the ISO standard X.509, has been, and will continue to be, a substantial failure. This paper examines that form of PKI architecture, and concludes that it is a very poor fit to the real needs of cyberspace participants. The reasons are its inherently hierarchical and authoritarian nature, the unreasonable presumptions it makes about the security of private keys, a range of other technical defects, confusions about what it is that a certificate actually authenticates, and its inherent privacy-invasiveness. Alternatives are identified.
In the vast majority of cases, preventing man in the middle attacks is a waste of time. -Bram Cohen
On Thu, 16 Nov 2000, Bram Cohen wrote:
In the vast majority of cases, preventing man in the middle attacks is a waste of time.
Because in the vast majority of cases it's not possible. ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html
Public Key Infrastructure: An Artifact Ill-Fitted to the Needs of the Information Society
Abstract
It has been conventional wisdom that, for e-commerce to fulfill its potential, each party to a transaction must be confident in the identity of the others.
This is the law for commerce, except for cash transactions of non-controlled goods. Firearm sales usually require proof of identity (at least) even for a cash transaction.
Digital signature technology, based on public key cryptography, has been claimed as the means whereby this can be achieved.
No. The only thing claimed in digital signature technology is that a message was signed by a key which has a strong binding to an identifier: Section 11.2 of X.509v3 Management of certificates states that the certificate allows an association between a name called unique distinguished name, or DN for the user, and the users public-key: A certificate associates the public key and unique distinguished name of the user it describes. However, the same user can have different DNs in different CAs, or can have the same DN in different CAs even if the user is not the first to use it in any of the CAs. So, nowhere in X.509 or in PKIX (which stands for PKI with X.509) is 'claimed' that digital certificates provide proof of identity. This is a serious mistake in this paper, which is however a quite common misconception (unfortunately fueled by CAs, sometimes). [see "Overview of Certification Systems" at http://www.mcg.org.br/certover.pdf -- originally published in 1997 and downloaded more than 200,000 or that I care to count; mirrored at http://www.thebell.net/papers/certover.pdf and elsewhere]. BTW, this is also Bruce Schneier's unfortunate mistake, in his latest newsletter. And a digital certificate is certainly less of a seal than of a signature because a digital signature is not bound at all to the document but to the contents of the document. Even if a document has its contents erased (chemically, or with lasers or otherwise), the seal remains intact whereas the digital signature would cease to work.
Digital signatures do little, however, unless a substantial infrastructure is in place to provide a basis for believing that the signature means something of significance to the relying party.
Wrong. Let's repeat -- if a PKI does not exist, then all digital signatures work without a PKI and the statement above is wrong. If a PKI exists, the whole paper is moot. A correct statement would be to say that PKIs do exist in domains of trust (which domains can even extend to the whole world, so they are not necessarily "small" in the geographic sense) and that in each domain digital certificates work fine. This applies not only to X.509 or PKIX but also to PGP.
Conventional, hierarchical PKI, built around the ISO standard X.509, has been, and will continue to be, a substantial failure.
;-) It is a good business, though.
This paper examines that form of PKI architecture, and concludes that it is a very poor fit to the real needs of cyberspace participants. The reasons are its inherently hierarchical and authoritarian
:-) Maybe a day will come that a certificate will order me around, but this may be too far in the future to be of any concern
nature, the unreasonable presumptions it makes about the security of private keys, a range of other technical defects, confusions about what it is that a certificate actually authenticates, and its inherent privacy-invasiveness. Alternatives are identified.
All this is a deja-vu of other papers, including not only my own "Overview of Certification Systems" of 1997, with a lot of added mistakes. Cheers, Ed Gerck
On Thu, Nov 16, 2000 at 03:53:28PM -0800, Ed Gerck wrote:
http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html
Public Key Infrastructure: An Artifact Ill-Fitted to the Needs of the Information Society
Abstract
It has been conventional wisdom that, for e-commerce to fulfill its potential, each party to a transaction must be confident in the identity of the others.
This is the law for commerce, except for cash transactions of non-controlled goods. Firearm sales usually require proof of identity (at least) even for a cash transaction.
That's a matter of state law - Federal law doesn't (yet) regulate firearm transactions between two residents of the same state where neither is licensed federally as a firearms dealer, so long as the firearms themselves aren't specially controlled (like Class 3 full-auto weapons, or short- barreled rifles/shotguns, etc). Nevertheless, the main point above is wrong, too - commercial law certainly does NOT require parties to be confident about the identity of counterparties. In most circumstances, identity is irrelevant; and even in disputed transactions, it's very rare that identity becomes crucial. Further, the identity of counterparties isn't fixed or decided at the time a contract is formed - one or more of the participants may later want to correct, amend, or restate the contractual listing of the parties, to include or exclude parties who are thought to have greater or fewer assets, or greater or lesser culpability, in order to enhance their chances for successful litigation. There's a persistent superstition among technologists who do ecommerce work that knowing someone's identity is necessary or sufficient to successfully litigate against them - neither side of that assumption is true. It can be the hardest thing in the world to successfully serve a summons and complain on a well-known party - cf. the ligitation against the Scientology head, whose name escapes me at the moment. On the other hand, big companies angry about message-board postings have been filing complaints very successfully against unknown (or pseudonymously named) entities, much to the aggravation of people who believe that their marginally greater understanding of technology makes them somehow unreachable or unaccountable. Even assuming that someone is successfully served with a complaint, that's a long way from winning a lawsuit, which is a long way from collecting on a judgement. Traditional non-legal means of enforcing contracts - like adding the person to a blacklist of "naughty debtors" doesn't depend on any sort of proof of identity or proof that a contract ever existed, or was breached - it's easy (if you're a commercial entity of at least moderate size) to add people you believe owe you money to the credit reporting agencies' databases, whether your target is an individual or a business. The reporting agencies require no proof at all - they'll accept the creditors' representations about the alleged debt, and proceed from there. Identity - and complicated theoretical proofs of identity - are not especially important in commercial law or litigation. It's relatively easy to follow the paths of money and/or goods in commercial transactions - and where it's not, the likelihood of recovery is slim even if the counterparty is well-identified, so litigation is unlikely. Identity does have the advantage of being a very familiar idea, so it's easy to generate and keep certificates about it, which give counterparties a nice warm feeling that they're doing something about the risks they face in a transaction. That feeling is unrelated to what's actually happening, but it does serve to lubricate the wheels of commerce. -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604
Greg Broiles wrote:
On Thu, Nov 16, 2000 at 03:53:28PM -0800, Ed Gerck wrote:
http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html
Public Key Infrastructure: An Artifact Ill-Fitted to the Needs of the Information Society
Abstract
It has been conventional wisdom that, for e-commerce to fulfill its potential, each party to a transaction must be confident in the identity of the others.
This is the law for commerce, except for cash transactions of non-controlled goods. Firearm sales usually require proof of identity (at least) even for a cash transaction.
That's a matter of state law - Federal law doesn't (yet) regulate firearm transactions between two residents of the same state where neither is licensed federally as a firearms dealer, so long as the firearms themselves aren't specially controlled (like Class 3 full-auto weapons, or short- barreled rifles/shotguns, etc).
That is why I wote "usually" -- it may vary.
Nevertheless, the main point above is wrong, too - commercial law certainly does NOT require parties to be confident about the identity of counterparties.
So, you think that credit-cards deals would not need names or any real-life id, just assets? Surely, the merchant gets paid regardless, even if you use a false name. But this is not the end of id fraud. The bank still goes after the money...and uses the law against fraudulent practices to enforce the cardholder agreement, or criminal statues. If Mr. X uses his wife's credit-card, Mr. X is technically committing id fraud, and wire-fraud. Of course it works most of the time... But when it does not, and someone comes enforcing, someone will ask, did you Mr X, uses Mrs X's credit-card, and represent yourself thereby as Mrs X? Cheers, Ed Gerck
On Thu, Nov 16, 2000 at 04:38:53PM -0800, Ed Gerck wrote:
So, you think that credit-cards deals would not need names or any real-life id, just assets?
I've never had to show ID to get a credit card; I also have two credit cards under names (mildly) different from that on my birth certificate. The issuers don't seem to care. Store clerks very rarely ask for ID, and they don't seem bothered by the minor discrepancy in textual form of my name(s), much less the possibility that there may be many other meat-things using the same text string as their identifier. (My name isn't that common, but there's at least one other person in California with it; people with more common names must run into this a lot more often.) I haven't done this myself, but I gather that it's really easy to get "the system" to adopt a wildly different last name than the one on your birth certificate, merely by mentioning that you've been married. It seems to be customary for some people (frequently women, but not exclusively) to adopt a different name at that time; nobody bats an eye about this. I'm aware of one person who's got at least 4 very different names which she uses in different social settings - one's the name she was born with, another is a name she assumed after one marriage, another is a name she assumed after another marriage, and the fourth is a combination of some of the above names. She doesn't have ID for all of those names - just uses the one that seems appropriate to the circumstances.
Surely, the merchant gets paid regardless, even if you use a false name. But this is not the end of id fraud. The bank still goes after the money...and uses the law against fraudulent practices to enforce the cardholder agreement, or criminal statues. If Mr. X uses his wife's credit-card, Mr. X is technically committing id fraud, and wire-fraud. Of course it works most of the time... But when it does not, and someone comes enforcing, someone will ask, did you Mr X, uses Mrs X's credit-card, and represent yourself thereby as Mrs X?
I'm not at all ready to accept your "id fraud" or "wire fraud" arguments - depending on the fact situation, maybe, but it sounds more like a variation on unauthorized use of another's credit card .. a charge which hinges on the *unauthorized* use, not on the difference in identities. It's not fraud at all for person X to use person Y's credit card, so long as person X has permission/authority, and doesn't misrepresent the transaction to third parties. Besides, that's got nothing to do with the different parties getting paid - on the outside, maybe the credit card company can recover some restitution from a fraudulent user in sentencing after a criminal conviction. The parties in the criminal action are the government and the accused, however, not the credit card company nor the merchant, so I still think that the identity of the parties does not turn out to be crucial to successful completion of the transaction. Plenty of people skip out on debts where there's no (extra) ambiguity about identity - and plenty of other people pay debts or fulfull obligations which are apparently not strictly speaking theirs, but those of a closely related entity. Most of the time, most people "do the right thing", and when they don't, the problem isn't likely to be one that's solvable with more intrusive "identity" practices on the part of one or the other of the counterparties. (Ed, I think this is your point about how most e-commerce "security" depends on a violation of privacy.) The "identity" bugaboo plugs straight into the "then you go to court and someone goes to jail" protocol debunked famously by Doug Barnes some years ago - I don't know if his discussion of that is still online, but it boils down to the insight that courts and litigation aren't very useful in a commercial context; it's faster and cheaper to either avoid bad trades proactively, or abandon them quickly in favor of other, good trades, and not cry over spilt milk. (And that runs straight into game theory and the Prisoners' Dilemma and the slow-moving background discussion/argument between Bob Hettinga who sometimes seems to be saying that anonymity is cheaper than not, and Wei Dai, who says the opposite.) -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604
Of course not. Unilateral offers can be made to a defined class of persons and accepted by action thereon. An old principle, but valid still. MacN On Thu, 16 Nov 2000, Greg Broiles wrote:
It has been conventional wisdom that, for e-commerce to fulfill its potential, each party to a transaction must be confident in the identity of the others.
Mac Norton wrote:
Of course not. Unilateral offers can be made to a defined class of persons and accepted by action thereon. An old principle, but valid still.
Yes but the problem faced by e-commerce is what happens when it fails. So, while I agree with you that it is not true that "for e-commerce to fulfill its potential each party to a transaction must be confident in the identity of the others", the practice in e-commerce is that security is based on breaking your privacy! And this is not only in terms of credit checks but also in covert background checks teaming up with law enforcement (as candidly admitted by eBay management in a meeting in DC some months ago). Cheers, Ed Gerck
MacN
On Thu, 16 Nov 2000, Greg Broiles wrote:
It has been conventional wisdom that, for e-commerce to fulfill its potential, each party to a transaction must be confident in the identity of the others.
On Thu, Nov 16, 2000 at 08:11:25PM -0600, Mac Norton wrote:
Of course not. Unilateral offers can be made to a defined class of persons and accepted by action thereon. An old principle, but valid still. MacN
On Thu, 16 Nov 2000, Greg Broiles wrote:
It has been conventional wisdom that, for e-commerce to fulfill its potential, each party to a transaction must be confident in the identity of the others.
The quoted text isn't mine - but, to further expand on Mac's comments, it's not even necessary that the offeror's identity be clear to potential acceptors. It's quite likely that many people and organizations are wrong about the assumptions they make about identity - you may think you've bought fast-food from McTacoKing, but it turns you you purchased food from an out-of-state corporation that's a franchisee of another out-of-a-different-state corporation who licenses out their recipes and trademarks to different people. This ambiguity may go both directions - the local McTacoKing may purchase services (like, say, carpet cleaning, or drain cleaning) from yet another locally-held but distantly-registered corporation who's just a franchisee/licensee of widely-recognized trademarks in those fields. It's easy to be sloppy and say that transaction represents a contract between McTacoKing and DrainSuckers - but that's not true at all. It's rare for people to even bother asking about niceties like business form (corporation vs. LLC vs. partnership vs. whatever), much less actually bother to figure out whether what's represented is really true - nobody bothers to call the Secretary of State and ask if the business called "X, Inc." really is a corporation, really is registered, really does have officers, etc., until people start using the words "million" or "billion". Trillions of dollars in small transactions take place without any attention at all paid to identity, in a legally significant sense - people do pay attention to trademarks, but those have only a slight relationship to the legal entitites involved. Even moderately sized-organizations find it useful to divide their operations into a number of legal entities, which may have common owners or have parent/subsidiary relationships - but invariably they hide that complexity behind a nice shiny trademark, because it's just distracting for people to think that "barnesandnoble.com" isn't really the same company as the people who run the bookstore down the street - or that the UPS who ships the books that the online entity sells you isn't the same UPS who sells the online entity the insurance on the safe delivery of that package. It's distracting to think that the entity which places a taxicab company ad in the yellow pages (which have the same logo as the local phone company, but are actually a separate corporation) isn't paid for by the corporation which owns the taxi which drives customers around, which isn't the same as the person who's driving, and may not even be the same company as the one which holds the taxi medallion. And who wants to think about the (lack of) identity between different banks and insurance companies who operate under the same trademarks and in the same office space? If you've got a savings account in a Bank of America branch in California and a checking account in a Bank of America branch in Oregon and a mutual fund account in a Bank of America branch in Oregon, how many different entities have you opened accounts with? 1? Bzzt! 3, or at least that was true before Congress clobbered the Glass-Stegall Act last year. Does that bother the people who cheerfully issue domain names and X.509 certs to various of these different entities? Nope. Does it bother consumers? Nope. Nobody cares, just like nobody cares that individual identities are pretty fluid, too, given that one name can be reused across many different meat things, and a single meat thing may, perfectly legally, use a number of different identies. The relationship between meat-world entities (including their cousins, the entities created by registration with governments or by mutual agreement of participants) and text strings like "John Smith" or "Bill Clinton" or "Bank of America" is not one-to-one but many-to-many, and that's not going to change. The legal system is accustomed to this ambiguity, and deals with it as necessary. Efforts to "fix" this and force people or corporations to identify in some enforceable way the underlying legal entities involved in a transaction are doomed to failure. The flexibility inherent in the ambiguity is important to getting things done - it's not a bug, it's a feature. -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604
On Thu, 16 Nov 2000, Greg Broiles wrote:
The quoted text isn't mine - but, to further expand on Mac's comments, it's not even necessary that the offeror's identity be clear to potential acceptors.
The reality is that, other than for emotional reasons, there is no real requirement that the purchaser and the provider have any relationship other than anonymous. The real problem is in guaranteeing to all parties that the binding between the key and the 'owner' be absolutely air tight. Unfortunately this is the one aspect that has received the least attention. It is the primary problem with key management other than scaling. If the relation between owner and key is not strictly secure then problems arise. Face to face (so much for anonymity to a third party) and trusted intermediaries (which opens up traffic analysis and rubber hose attacks) are clearly not sufficient. This is the reason I say the PGP style web-of-trust is not effective. How do you anonymously guarantee the binding between the two parties and their respective keys, while remaining anonymous? Is it a requirement that one or more parties have access to the (public) keys? ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
participants (7)
-
Bram Cohen -
Ed Gerck -
Greg Broiles -
Jim Choate -
Jim Choate -
Mac Norton -
R. A. Hettinga