Mark,
Steve told you> One can use conventional (symmetric) crypto for email,
but it involves a more real-time interaction with a key distribution
center (KDC), which must be trusted to not disclose interchange keys (in
PEM terminology). The KDC becomes a single point of failure, or one has
to engage in non-trivial redundant KDC facilities. The KDC has to be
trusted not only for authentication, but also for confidentiality. KDC
security failures do not leave the same "trail of evidence" as do
malfunctioning or malicious certification authorities.
This is one of those "opinions" about public key that I find misleading.
Look at PEM secret or public key situations:
If you want to communicate privately with a user that you have not dealt
with before you must discover his CA or KDC and get a certificate or a
secret key before you send the message. Whats the real-time difference
in these? In either case you can get the certificate (or key) from the
CA (KDC) directly or from the interchange partner.
Lets look at repudiation, the key that you get in the secret case is
valid until revoked by the sender, in the public case the certificate
may be revoked at any time and you must get a CRL AFTER RECEIPT OF THE
MESSAGE to be sure that the message was sent with a valid certificate.
The CA (or PCA) is a single point of failure in this case. It seems to
me that the secret key distribution case works better here.
The trust issue is one of degree and not of substance. In either case
there needs to be a chain of trust (or web of trust in the
non-hierarchical public case). It may be that the public case is easier
to administer, but there is no fundamental difference in the measure of
trust that CA or KDC must have for us to believe them. Check out X9.30
if you want to see what level of trust the bankers will require of a CA.
Peace ..Tom Jones