From a business point of view I am equally happy selling symmetric key, KDC
type approaches as PKI. In point of fact I am currently co-chair of a working
group that is developing a symmetric key protocol.
However there are very few security advantages in the KDC model (e.g.
resistance of symmetric key crypto to quantum cryptanalysis), plenty of
security disadvantages (much more limited hardware support, not possible to
apply same separation of duties controls) and some really serious operational
constraints.
From a historical point of view it is certainly true that we probably made a
mistake in the original conception of PKI as making the KDC model obsolete. A
synthesis of the two approaches would have been much more valuable. In
particular if SSL had supported kerberos ticket like capabilities from the
start. We later added KDC type capabilities to PKI with protocols like XKMS
and OCSP.
But the argument here strikes me as little more than an emacs/vi contest.
Regardless of the technical infrastructure you employ you still have to map the
network identifiers to real world identities. And that is an excercise that
requires expense and consistency and attention to detail and is as boring as
sin for the people actually doing it.
Proposals to do away with commercial PKI come in two flavors. The first is
technological magic which is founded not on a misunderstabing of the problem
but a complete failure to understand that the problem exists. The second is the
open source effort objection which is pretty much as viable as an open source
effort to do people's tax returns for them.
________________________________
From: Masataka Ohta
[mailto:mohta(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp]
Sent: Wed 11/07/2007 5:04 AM
To: Eliot Lear
Cc: Douglas Otis; IETF discussion list
Subject: Re: PKI is weakly secure (was Re: Updating the rules?)
Eliot Lear wrote:
What I was referring to was
Ohta-san's implication that PKI is fundamentally flawed. Perhaps it is,
Perhaps.
Though my statement so far is PKI is not strongly secure, it implies
that you can choose from equally secure design alternatives.
See below.
but I don't see anything better for key distribution to millions of
people. If you, he, or anyone else comes up with something better, I'm
all ears.
Though I'm not so sure about your requirement, if you need fairly
secure key distribution mechanism over the Internet, KDC, not CA,
based schems such as Kerberos, is better than PKI.
Though KDCs require real time communication, it's free over the
Internet.
Moreover, because key distribution is in real time, key invalidation
is instantaneous without complex mechanisms such as CRLs. That is, you
can shutdown spam site instantaneously.
Or, as you are trying to create a new key distribution network from
the beginning, it should be easier to create a new mail distribution
network from the beginning where mails are allowed only between
pre-recognized bodies.
A very good property of this approach is that we don't need any
cryptography nor new protocol. Just have a list of IP addresses of
thousands or tens of thousands of root mail servers and set up our
mail software to accept mails only from them or our own proxy and
send mails only to them through proxies registered to a root mail
server or two or three...
Setting up a new mail network is hard but, IMHO, much easier than
setting up a new PKI.
Though neither of the above protect us spams from cracked accounts,
we are not annoyed by delays with CRLs.
Of course, CAs, ISPs, KDCs and root mail servers are not very
trustworthy but they should increase the cost of spammers.
Masataka Ohta
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf