ietf
[Top] [All Lists]

Re: PKIs and trust

2003-12-14 12:37:16
At 2:14 PM -0500 12/14/03, Keith Moore wrote:
I'd put this a different way. Until PKIs are able to represent the rich diversity of trust relationships that exist in the real world, they are mere curiosities with marginal practical value.

Oh, please. Describe a trust relationship that cannot be represented using current PKI technology (PKIX certs, S/MIME signed messages, OpenPGP certs, OpenPGP signed messages, or SPKI certs).

I trust my boss to make statements about my job.
I trust my landlord to make statements about the house I rent from him.
I trust my mother and my siblings to make statements about my immediate family. I trust my mother and my siblings to make statements about the identities of other family members. I trust the State of Tennessee to make statements about the identities of state agencies. I trust state agencies to make statements about which they have authority: (e.g. automobile licensing) but not to make statements about things that are outside of their purview. I trust the United States government to make statements about the identifies of US government agencies. I trust US government agencies to make statements about which the agency has authority: (e.g. aircraft licensing, federal income tax) but not to make statements about things which are outside of their purview. I trust my employer to make assertions about the identities of its officers and/or other employees, for the purpose of establishing identity for work-related communications, but not for other purposes.

Now if you can show me a tool that will translate statements like the above (or other statements that ordinary humans can understand) into data structures that existing PKI-based tools will interpret reliably and correctly, I'll be extremely impressed.

All of those statements, assertions, and so on can be made in simple signed messages. When you get a message with statements about your job, you verify that the message has been signed using your boss' public key. What's the problem here?

--Paul Hoffman, Director
--Internet Mail Consortium



<Prev in Thread] Current Thread [Next in Thread>