From: Hironobu SUZUKI <hironobu(_at_)h2np(_dot_)net>
Subject: Re: rfc2440bis-02 comments
Date: Wed, 27 Dec 2000 15:50:44 +0900
...
i don't think the example in question should dictate everyone's
policy.
Alice, Bob and Olive story may be vulnerability of public key
distribution and verification, is not sort of policy.
i'm sorry, but i wasn't able to understand what you meant.
my guess is that you are saying that addressing the example scenario
you gave is a design goal of public key distribution and verification.
is that what you meant? if not, please elaborate.
i don't think the current keyserver structure alone addresses the
scenario you gave. you also need to establish that a particular key
belongs to a particular entity -- this is not possible using only the
keyservers -- you need to perform at least one key fingerprint
verification and depending on the situation, you may also need a trail
of appropriate signatures to the entity's key.
in your example scenario:
in step 3, bob is not certain that the text was written by alice
until he verifies that the key is hers. he can do that via
contacting alice, or if an appropriate chain of signatures exist,
he can do it via that method (it depends on his policy). once bob
has verified the relationship between alice and the key he downloaded,
then he can be certain (actually he can be certain w/o this, but he
will be foolish for being certain ;-) )
in step 5, it is true that olive can't verify alice's text because
she doesn't have alice's public key. but having a key from the
keyserver that might be alice's key is not enough. olive must also
establish that the key is alice's.
so to summarize, verifying signed text is going to require verifying
entity-key associations. that's going to require communication
between entities. imo, this communication should clear up
difficulties in most cases.
i think there will be pathological cases where verification of
signatures will not be possible.
in fact, the current situation does provide examples of such
situations -- for example, there are already keys on the keyservers
for which no one can establish relationships to owning entities:
any key that no one has done a fingerprint verification for and the
secret key material is lost
if there is some text signed w/ such a key floating out there, no one
will be able to verify the signature. even if one person has
performed a key fingerprint verification for the key, if no one else
trusts this person as a verifying entity, no one else will be able to
verify the signature.
imo, those kinds of pathelogical situations need to manage their risks
using additional means.