CDR: Re: Public Key Infrastructure: An Artifact...

[Ed Gerck]

> http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html
>
> Public Key Infrastructure: An Artifact Ill-Fitted to the Needs of the
> Information Society
>
> Abstract
>
> It has been conventional wisdom that, for e-commerce to fulfill its
> potential, each party to a transaction must be confident in the identity of
> the others.

This is the law for commerce, except for cash transactions of non-controlled
goods. Firearm sales usually require proof of identity (at least) even for a
cash transaction.

> Digital signature technology, based on public key cryptography,
> has been claimed as the means whereby this can be achieved.

No.  The only thing claimed in digital signature technology is that a
message was signed by a key which has a strong binding to an identifier:

 Section 11.2 of X.509v3 – “Management of certificates”–
 states that the certificate allows an association between a
 name called “unique distinguished name,” or DN for the
 user, and the user’s public-key: “A certificate associates the
 public key and unique distinguished name of the user it describes.”

However,  the same user can have different DNs in different CAs, or can have
the same DN in different CAs even if the user is not the first to use it in any of
the CAs.

So, nowhere in X.509 or in PKIX (which stands for PKI with X.509) is 'claimed'
that digital certificates provide proof of identity.  This is a serious mistake in
this paper, which is however a quite common misconception (unfortunately
fueled by CAs, sometimes).

[see "Overview of Certification Systems" at http://www.mcg.org.br/certover.pdf --
originally published in 1997 and downloaded more than 200,000 or that I care to
count; mirrored at  http://www.thebell.net/papers/certover.pdf and elsewhere].

BTW, this is also Bruce Schneier's unfortunate mistake, in his latest newsletter.
And a digital certificate is certainly less of a seal than of a signature because
a digital signature is not bound at all to the document but to the contents of
the document.  Even if a document has its contents erased (chemically, or
with lasers or otherwise), the seal remains intact whereas the digital signature
would cease to work.


> Digital
> signatures do little, however, unless a substantial infrastructure is in
> place to provide a basis for believing that the signature means something
> of significance to the relying party.

Wrong.  Let's repeat -- if a PKI does not exist, then all digital signatures work
without a PKI and the statement above is wrong. If a PKI exists, the whole paper
is moot.

A correct statement would be to say that PKIs do exist in domains of trust (which
domains can even extend to the whole world, so they are not necessarily "small" in the
geographic sense) and that in each domain digital certificates work fine.  This
applies not only to X.509 or PKIX but also to PGP.

> Conventional, hierarchical PKI, built around the ISO standard X.509, has
> been, and will continue to be, a substantial failure.

;-) It is a good business, though.

> This paper examines
> that form of PKI architecture, and concludes that it is a very poor fit to
> the real needs of cyberspace participants. The reasons are its inherently
> hierarchical and authoritarian

:-) Maybe a day will come that a certificate will order me around, but this may be
too far in the future to be of any concern

> nature, the unreasonable presumptions it
> makes about the security of private keys, a range of other technical
> defects, confusions about what it is that a certificate actually
> authenticates, and its inherent privacy-invasiveness. Alternatives are
> identified.

All this is a deja-vu of other papers, including not only my own "Overview of
Certification Systems" of 1997, with a lot of added mistakes.

Cheers,

Ed Gerck