Jeff,
For the record, the text you quoted as being written by me was really
rom Rhys Weatherley, and merely quoted in my reply message.
It does NOT reflect my own views, in particular the first paragraph.
However, I think that there is considerable merit in the PEM
extensions for non-hierarchical (direct) trust that you describe.
God is in the details, so I want to read what you said much more
carefully, but I think you are on the right track.
Steve Crocker once characterized the existing PEM approach
(paraphrasing him) as providing _syntactic_ validation of the
correctness of a digital signature by virtue of the certificae
hierarchy that will eventually be rooted in the IPRA.
However, as a number of people have noted (most recently
Jeff Kimmelman), this hierarchical certificate structure only
provides a _framework_ for trust, and does not confer trust
in the _semantics_ of the message in and of itself.
In some contexts, trust can be established by edict, e.g., if
a smart card is established by the government as the
mechanism for accessing national health services, that
chain will be trusted by mandate of law. In other contexts,
trust can be established by bilateral agreeements between
all parties directly, or between the various parties and a
central clearing house, e.g., the various credit card systems.
On a more personal level, however, trust is established more
slowly, as a function of experience in dealing with a person.
No one can tell me that I _must_ trust someone -- at best my
company can instruct me that certain people are to be trusted
for business purposes, and by implication my company accepts
the responsibility if that person turns out not to be trustworthy.
That is not to say that the syntactic validation of a signature
chain is worthless -- if something fails to validate, that is a
clear signal that something is wrong. But the fact that it does
validate at best provides me with a degree of nonrepudiation
(depending on a lot of other things), and perhaps I can take
legal action against that person if necessary, but it doesn't
confer trust directly.
Of course if you have the human in the loop, reading all of the
certificate information, that person can decide for himself on a
message by message basis whether to believe the message and
take action on it. But if you want to automate this process
somewhat, you can control whose keys you put in your own
cache, and only accept implicitly those individuals, CAs, and/or
PCAs that you have so indicated. You might even adopt a wildcard
convention that indicates which individuals, CAs, and/or PCAs
you do _not_ want to accept or trust.
I believe that this level of user-centric controls over what
messages are to be _believed_ is absolutely essential, and one
more the most obvious features missing from the current PEM
implementations. In addition, using the user's own implicitly
trusted public key to sign any and all of the other keys, even
the IPRA root key, provides an additional level of protection
against the undetected modification of the root key and the script
that says which other keys are to be accepted.
If in addition it provides the ability to jump start the process of
getting users up and running without having to wait for the
creation of all of the CAs, all the better.
Bob