The magic of public key crypto is that it gets rid of the key
management problem -- if I'm going to communicate with you with
symmetric crypto, how do I get the keys to you? The pain of it is that
it replaces it with a new set of problems. Those problems include that
the amazing power of public-key crypto tempts one to do things that
may not be wise.
I find public-key cryptography to be full of "dirty little secrets".
Some of the notions inherent in public-key *infrastructure* are, on the
face of them,
preposterous. Consider the notion of a certificate authority. I am
to trust some third party (the CA) that I've never met, and have not the
slightest
reason to trust, is able to make a "believable" assertion about the
identity (and corresponding public-key binding), of some *other* party
I've never
met, and have no real reason to trust. It always struck me as
another instance of "there's no problem in CS that can't be solved by
adding another
layer of abstraction". I think this is an instance of a general
problem with digitally-signed documents of all kinds: confusion about
exactly what they
are--a signature on a document (like a certificate) says nothing
about the *essential truth* of the statements contained within the document.
When SlushySign issues a certificate for "www.crowbars-r-us.com",
there's a subtle distinction between "we believe this to be the
appropriate binding
between this public-key, and an entitity known as
www.crowbars-r-us.com" and "this really is the binding between this
pubic-key, and the entity you
all know as www.crowbars-r-us.com".
I started thinking about the "essential truth" problem back when the
whole TPM thing was popular, and proponents were talking as if the digital
signature of a computer stating that it was "sane" was somehow the
same is said computer actually being "sane". Absent independent
verification,
there's no way to distinguish a strongly-signed "lie" from a
strongly-signed "truth". That isn't necessarily a problem that's
confined to PK systems.
Any digital-signature scheme has that problem.
The other thing that I find to be a "dirty little secret" in PK systems
is revocation. OCSP makes things, in some ways, "better" than CRLs, but
I still
find them to be a kind of "swept under the rug" problem when people
are waxing enthusiastic about PK systems.
However, PK is the only pony we've managed to bring to this circus, so,
we we "make do" with making the "dirty little secrets" as inoffensive as
we can.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography