A web of trust is different from the chain of trust I'm talking about. In a web of trust, a key is signed by lots of different people; ideally, everybody can trust everybody. In a chain of trust, each member only knows and trusts the adjacent members.
CAcert doesn't operate a web of trust in the PGP sense, for someone to issue "trust" points to other people they must already have a certain amount of trust points themselves. Both PKI and PGP models will fail, not because of the technology but because of the people factor. The PKI model *can* be to a larger is a slightly more resilient, in general no CA would have reason to issue false certificates and *usually* you can be sure more are issued on a correct basis. PGP model if you lived in say Africa and wanted to communicate with someone in South America with little or no prior relationship and you wanted to be sure the communication wouldn't be intercepted you have 2 choices, fly to meet each other or gain trust you both are who you say you are from an impartial 3rd party that if it did it's job correct would be correct.
*BUT*, and it's a very big but, there is 2 or 3 flaws in the PKI model, firstly there is a crap load of money usually involved, where there is money there is usually corruption, at this stage of the game the PKI industry has had very little over all impact, something like 0.3% of web servers (not websites) are protected with a "valid" certificate issued by a "valid" CA, the number of invalid and self signed and non-"valid" signed certificates is closer to 1.3%. There are a lot of websites that should use some form of crypto to protect against passive listening. Another major flaw is PKI based on issued certificates from any CA would be worthless in protecting a person in the country where governments repress free speech by arresting and killing their citizens. In the UK I believe the government has laws in place so they can demand your private key, and the US could coerce by legal means to force CAs to issue false certificates and then stick a gag order of them.
PGP model would obviously be an advantage in this case, but most people don't have a clue about security practises and get so many pop-up warning messages they simply click ok to whatever comes up.
The other flaw is safe keeping of certificates, unless you have a hardware device, the more difficult you make it for someone to break digital security will only make them turn round and break physical security...
Passwords are inherently bad and there are numerous articles on people giving their work/email passwords away for a cheap pen...
Sort of... CAcert.org is a Certificate Authority. A CA just signs public keys, while a key server stores a copy of them. What I'm talking about is more like http://pgp.mit.edu/.
Working on it, we actually have a finger daemon setup/running to reply with certificates if you send it a exact request that matches an entry in the database, weather hostname or email address...
I've penned an internet-draft on what we've done which can be read here:
http://www.cacert.org/index.php?id=26&prob=8
I keep meaning to post it to the IETF as a informational document...
But we're not looking at certificates; we're looking at public/private keypairs. Phones can generated the keypairs, but how does the phone prove to the key server that it is an authorized phone? With just a simple password?
The PIX sends a certificate signing request and holds onto the private key, the CA then replies with a signed certificate and the PIX stores that with the private key...
When grabbing a certificate it doesn't matter if it's authorised to or not, because it has the private key so only it can decode data sent to it using the public certificate...
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
