public keys can be used to provide some degree of trust propogation w/o the
problems associated with shared secrets ... independent of key-exchange for
session confidentiality.
certificates were designed to provide for offline trust propogation (i.e.
trusted 3rd party generating
paper credentials in the days of sailing ships ... for things like letters of
credit).
two possible online scenerios for online trust propogation was online domain
name infrastructure providing public key as part of online hostname resolution
response ... and licensing/certification agencies providing public key as part
of a trust lookup.
Trust propogation also works going from highly authenticated environment ...
which might register a public key with a relying party; to a quickly
authenticated environment remote, non-face-to-face transactions with digital
signature (the digital signature would be a mathematical encapsulation of the
authentication business process that occured as part of public key
registeration) . Asymmetric algorithms have some advantages over traditional
shared-secret algorithms in that there can be lower maintenence expense at the
relying party (i.e. security exposure associated with divulging a shared
secret).
random refs:
http://www.garlic.com/~lynn/2000f.html#1
http://www.garlic.com/~lynn/2000f.html#3
John Kelsey <[EMAIL PROTECTED]> on 11/24/2000 12:59:42 PM
To: Bram Cohen <[EMAIL PROTECTED]>, Lynn Wheeler/CA/FDMS/FDC@FDC
cc: "Arnold G. Reinhold" <[EMAIL PROTECTED]>, Ben Laurie
<[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Public Key Infrastructure: An Artifact...
-----BEGIN PGP SIGNED MESSAGE-----
At 04:47 PM 11/22/00 -0800, Bram Cohen wrote:
>On Wed, 22 Nov 2000 [EMAIL PROTECTED] wrote:
>>the other scenerio that some certification agencies have
>>expressed (i.e. licensing bureaus, bbb, consumer report, etc
>>operations) is that in the online world ... that they would
>>provide an online service .... rather than certificates
>>designed for an offline world.
>Yes, it seems fairly well established that revocations just
>plain don't work.
>Once again, the solution to the problems of offline
>operation appears to be online operation.
And the annoying thing about this is that once we go to
needing an online trusted third party to allow us to have
secure communications, we may as well chuck the public key
stuff and just use symmetric ciphers and the key exchange
protocols worked out ten or fifteen years ago. Which makes
me suspect that we're just not using public key mechanisms
very intelligently yet. We've realized that screws are
better for many jobs than nails, it's just that they're so
damned hard to hammer in....
>-Bram Cohen
--John Kelsey
PGP: 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF
``Slavery's most important legacy may be a painful insight
into human nature and into the terrible consequences of
unbridled power.'' --Thomas Sowell, _Race and Culture_
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>
Comment: foo
iQCVAwUBOh7WlyZv+/Ry/LrBAQE+eAP9E8RxIl9TAVbWT8CJKGl0V3IN9wMCWs82
wzh3XaSs/YYdGcG/+rEPN+S6y9t8HsSz9vr3dgPwOMDsVvkmBkOQJT+YK86thUiS
a4eL2Ea9T2lAj5+gb6jeUhBpqn130C0WxUab5ARZffSOMkZCa7I9V6CfKIwL9Noq
fMzDtrkqNXw=
=yGFp
-----END PGP SIGNATURE-----
