Franck Martin;
That you can construct a PK structure to represent a set of trust
relationships for some purpose does not mean that there is some
general purpose PKI.
There isn't.
That is, that you must construct a PK structure for every different
purpose is not a software issue but an operational problem too complex
and costly to be solvable.
Hmmm, we talked about some of it...
Maybe. However there are other reasons why PKI is hopeless.
The other two problems are:
CAs of PKI, if any, is just as reliable as ISPs. That is,
if you can just rely on CAs, you can just rely on ISPs that
your communication is just secure. Otherwise, you must
assume that your or your peers CA, on which you have no
control over, is compromised. So, virtual MitM in CAs
between you and your peer is just as harmful as MitM
in ISPs between you and your peer.
PKIs, if any, is no useful for authentication on consumable
credential. The only merit of PK with CA over shared key with
KDC is that no communication with CAs is necessary for every
transaction. However, it means that there is no entity to check
the amount of remaining credential. So, if an attacker has a
certificate to be used for 1,000USD of transaction, the attacker
can use the certificate for 1,000 second 1,000 times a second
from 1,000 different locations, total damage of which is
1,000,000,000,000USD for personal benifit of the attacker or for
economical terrorism to ruin the world wide economy.
In short, CAs are intermediate intelligent entities not knowing
the precise current state of communications (e.g. remaining
credential) that introduction of such CAs is the direct violation
of the end to end principle.
So, PKI is even less hopeful than IPv6.
Masataka Ohta