For PKIs in general, there's always an "out of band" transfer of a public
key that you elect to "trust" before secure communications/transactions can
occur. Often, this is the transfer of a "root key", which is then relied on
to certify other public keys you get in the course of doing business. This
is the general solution to the problem Noel describes below - once you have
this limited out-of-band transfer, you can rely on the automated exchange of
keys. (Subject of course to the possibility of revocation/compromise, and
yes most current software ignores that problem or deals with it in a very
ugly way. But that's improving.)
(Now, of course, my argument would be stronger if the usual "out of band"
transfer wasn't "well, the certificate came pre-loaded in Internet Explorer.
But bad implementations don't obscure the general point - the problem is
solvable; the solution is known; it involves one secure out-of-band
transfer.)
Al Arsenault
Senior Security Engineer
BBN Technologies
-----Original Message-----
From: owner-ietf(_at_)ietf(_dot_)org [mailto:owner-ietf(_at_)ietf(_dot_)org]On
Behalf Of Noel
Chiappa
Sent: Sunday, December 14, 2003 2:56 PM
To: ietf(_at_)ietf(_dot_)org
Cc: jnc(_at_)mercury(_dot_)lcs(_dot_)mit(_dot_)edu
Subject: Re: PKIs and trust
> From: Paul Hoffman / IMC <phoffman(_at_)imc(_dot_)org>
> At 2:14 PM -0500 12/14/03, Keith Moore wrote:
>> if you can show me a tool that will translate statements like the
>> above (or other statements that ordinary humans can understand) into
>> data structures that existing PKI-based tools will interpret reliably
>> and correctly, I'll be extremely impressed.
> When you get a message with statements about your job, you verify that
> the message has been signed using your boss' public key. What's the
> problem here?
The issue is how you can be sure that the thing purporting to be your boss'
(or landlord's, or whomever) public key really is their public key, unless
they gave it to you directly and personally themselves. (Which they well
might, as part of the opening of any commercial transaction.)
But short of that, there's no *existing* comprehensive key-validation
structure which can assure you that the thing which is claimed to be the
public key of X really is X's public key, where X is some arbitrary entity -
e.g. a Web storefront from whom one wants to purchase something.
Yes, we probably have enough protocol tools that we could create such a
thing
(e.g. with DNSSEC), but that's not the issue - the point is there's nothing
deployed at the moment, therefore no way (in practise) to do it.
Noel