Is The Public Key Infrastructure Outdated?

dchat writes: "Roger Clarke, Visiting Fellow, Faculty of Engineering and Information Technology at the Australian National University claims that the "Conventional, hierarchical PKI, built around the ISO standard X.509, has been, and will continue to be, a substantial failure", and then he goes on to explain why. I'd be interested in the views of Slashdot users, as my organisation is contemplating considerable investment in X.500 and PKI (including X.509)." Lots to read here.

Re:Considerable investment?

[Chandon Seldon]

That would be hella-stupid, unless you have people on staff who are *extremely* qualified at implementing cryptography. 4000 bit keys are useless if you make a moronic mistake implementing the key system. If you need security, use PGP, GPG, SSH, or some other reliable, already implemented open protocal.

Considerable investment?

[Fervent]

If your "organisation is contemplating considerable investment", I would instead consider developing your own solution. Make a proprietary public-key system with a 3000-4000 bit key strength.

People are under the misguided impression today that the available products and services are always the best. It's trivial to set up something like a proprietary key setup in C++. The docs are all out there. Hell, I implemented a 512-bit version of DES for a computer project at Sarah Lawrence College (my school) last year.

hmm

[vax]

so make a new one...
commodores are outdated but we dont anounce it
instead we build our fast nix boxens

makes sense to me...

philosophy of cryptology

[Lohgra]

I see this whole issue of disintegrating e-trust as a modernist/postmodernist dilemma. the modernist posturing is inherent in the act of consumerism itself, in cryptology as well as in art -- there is a need being expressed here: for certainty, for objectivity. that need is necessary in order for people to partcipate in mass consumerism without considering its deeper implications. Anyone must be able to sit down and buy something, and think of it only as "I click the mouse, it shows up." Clarke does well to introduce the alternative theory of developing reputation, and that is what EBAY has done, but that approach is insufficient for the mass consumerism of the future, people can't be expected to worry about things like this. "i click the mouse, it shows up. shipping and handling extra." like any modernist theory, however, the Certificate authority contains the seeds of its own demise. Clarke is correct, the private key can jepoardize the security of the whole system, as well as compromise privacy. the modernist system of 'absolute truth' has failed in the manner Clarke describes, and we are left with the postmodernist idea of relative truth and PGP's 'web of trust.' But just as postmodern art is critical of rampant consumerism and absolute certainty, so too is the pure consumerism mentioned above impossible with PGP. SDSI's idea of using attributes and not identities is useless, since attribute could then be spoof just as easily if you got ahold of a key. the whole idea of being able to maintian an identity without biometrics or chips seems suspect to me, since it has never been employed in the past. It has always been visual identification (bar tabs) magnetic strips (credit cards) or verifiable name space (billing adresses) that have been used in business in the past, and computers seem to offer no relief from these conditions. if anything they have complicated the system even further. if it seems that I am hedging about and not tending toward a final answer of 'what's best,' that's only because there is as yet no 'answer' to the modrnist-postmodernist dilemma. I wonder however, why it is so important to a bunch of technocrats such as ourselves that the common man be able to enact these transactions unconsciously. MAybe it is Wyndham Lewis' "the best thing humanity can do for artists is to remain unconscious," to provide us with problems to solve. "Machines are our favorite game," he says, we invent them and hunt them down." but he too is a modernist. a postmodern and perhaps more enlightend approach might to be say that those unwilling to stand up and defend their e-rights through all due vigilance have no place doing business on the no-man's land of the internet, unless we want an internet Leviathan to replace this no-man's land.

Damn, all those PKI users will have to upgrade

[sulli]

both of them.

It's in the implementation..

[McAlister]

I think that the author of this paper get's it about 1/2 right - especially when he says that the current "standard" way of implementing the Registration Agent process is flawed - it is - most companies that offer Certificates do so with a great deal of show about the fact that you can now sign your e-mail, but with very little education and thought in the overall security chain process. What is worse, is that most Major PKI vendors don't have real Certificate Policies - instead, they publish Certification Practice Statements that wrap all of the various certificate type up in one bundle, without explaining in clear, consise language what the reasonable trust expectation would be out of any given certificate - thus leaving the certificate purchaser a very fake sense of security. So, that said - I would have to disagree with the Article Author, when he says that we need to abandon X.509 based PKI's - I would say the exact opposite - we need to adopt them, but with a carefull eye to standards compliance, and with large amounts of user education. There needs to be some common criteria established that allows consumers to rate the various PKI's currently offered, and decide which ones actually can provide the trust levels that are required in their particular circumstances.

Re:Outdated?

[PingXao]

Yeah, but look, when the ISA personal computer bus became outdated - and it wasn't all that old either - how many typical home lusers would even have the faintest idea what ISA was? If you mentioned ISA to them they'd stare just as blankly. Ideas and implementations don't become outdated solely by their age.

Re:US Government thinks it's a good idea. 'nuff sa

[PingXao]

If the government thinks it's a good idea then that's reason enough to run as fast as possible in the other direction.

Good ol' Dick Cheney seems like just the sort of guy to make sure national ID smart-cards with certification are put into place and the sooner the better. You'll need one to vote. He and his boss won't want to go through another election like THIS again, so in the future they will want to nip any recount talk in the bud. I believe Gore would think that's not a bad idea, either, but he and Lieberman probably wouldn't push the plan.

And for those who say the voting process rests with each state, that's true, but they'll just set a national "best practices" standard and should a state not comply then they'll just withhold Federal highway funds. They like that trick. The US government will become the ultimate CA. Think about it. What do you want Uncle Sam to do for you? Let you vote? The government needs to know who you are. Need Medicare assistance? They need to know who you are. Want a small business loan? ID checks are mandatory. Decide you'd like to have some of your social security "investment" back when you're 65? They DEFINITELY want to know who you are then. Want to perform banking transactions? Banks are required to tell the government about all large transactions. How large, you ask? Consider that the biggest denomination of US currency is $100 and why.

Re:An informed, yet biased reply

[kbonin]

Your reply is well intentioned but misinformed. I dbout the original poster was slighting the potential exploits of the script kiddie crowd, but there is a problem with your position. Smart card hacking has in the past been possible with little to no equipment when manufacturers made really stupid mistakes, allowing things like timing and power attacks against crypto, power attacks on secure key storage, and some low cost forms of probing. However, the "bar" of equipment cost needed to access your average smart card is continuing to raise, and at a substantially faster rate than the cost of lab equipment is dropping. Work in conformal coating and tamper detection processes have currently raised the bar to the point where even normal e-beam probing is insufficient for a good chip, and that equipment costs 2+ orders of magnitude more than a PC, placing it slightly out of reach of your script kiddie crowd. Newer chips require handling in remote manipilation cells to avoid triggering various tamper devices, and there's another 1-2 orders of magnitude just for a support item. I'm not trying to say that smart cards are secure, or ever will be - thin plastic just doesn't cut ut. But I think its nieve to extrapolate the pervasive threat of the script kiddie into a problem space requiring at least several days access to equipement costing as much as a few million USD.

Re:Considerable investment?

[Frums]

Screwing with S-boxes has actually been shown to weaken DES significantly. Just changing the order of S-boxes in DES has been shown to significantly weaken DES encryption. Schneier gives an excellent discussion of this in his Applied Cryptography...

Frums

Re:Considerable investment?

[Anonymous Coward]

What do you mean by 512 bit version of des? Did you just screw with the key generation scheme for each round? Is that really that much more secure? Encrypting data twice with des does not give you much more security. That's why there's 3Des but not 2des. I'm not convinced that what you do is significantly more secure. esp if you messed with the S-boxes and stuff. Using a proprietary system has glaring disadvantages, such as umm... not having anyone being able to decrypt or encrypt data unless you send him/her your homebrewed system. So if they intercept this transmission, there goes your security through obscurity. If data you're sending is within a private organization, it usually makes more sense to use private key systems. Plus, public key systems are slow. Implementing 3k-4k bit keys would be stupid since there isn't a need for it. And of course, as mentioned somewhere else, the article talks about key deployment and models of trust, not cipher strength.

Re:Hey look!

[Enahs]

Um yeah, did you happen to notice how many "goat sex!" postings there are here?

Even reading at "0" is intolerable.

Re:More brain dead linking

[foxxtrot]

Ummm, CmdrTaco didn't link it. In the stories all of the italicized parts are submitted by users like you or I, the non-italicized stuff is Taco's or whoever actually posts it.

Re:hierarchical PKI is doomed..

[Lohgra]

these new methods you propose are no better. if you could have gotten access to someone's PKI private key you can get access to all their individualized authentication keys. this means you can impersonate them at least everywhere they've been before.

also, there's the issue of accountability. with PKI you can use post offices, biometrics, chips etc. what do you do with individualized systems when you want to do a first transaction between a person and a website? you can't use 'reputation' without some universal identifier that would make these individualized systems useless if it worked. so what's left, credit card or social security numbers? how do you transmit to be used in a crypto-system you haven't yet established (because you're going to use these numbers as keys for the system). they can be intercepted, and if you don't use these numbers what have you got left? there has got to be some global protocol for the initial communication, and everyone needs a public key. the only advantage of PKI over a credit card or soc # is that you don't care if people intercept your PKI public key!

The role of insurance

[metis]

I think one of the most important points in the paper is that absolute trust/knowledge is absolutely unnecessary. The drive for PKI stems for fear that people will not engage in transactions that are too risky. A look at Credit Cards usage on the net/mailorder market shows something interesting. One of the main reasons that e-commerce took off at all was that customers new that they can cancel a transaction even a month later if needed, simply by calling their card issuer. Absent that security, few would have dared to buy anyhing substanial from an uknown company thousands of miles away.

This suggests that the only thing really needed to e-commerce is not trust between parties but the availability of cheap insurance against fraud. A digital identification mechanism's minimal requirement is that it allow insurance companies to manage their risks. A scheme would be good enough if the dollar amount of fraud that it allows is less than the cost of eliminating it (that doesn't refer to SPKI which has a different focus).

I have no idea what that is the implication of what I just said; I hope someone else has;-).

not a viable option for e-commerce

[Lohgra]

how would you buy something in this way? suppose the security is compromised at a mail server, and you end up buying forty pounds of highly perishable strawberries instead of a DVD player.
suppose also that you have reason to suspect that it may be someone with ill intent toward you who caused this error by invading the mail server. the company also suspects e-espionage from activist groups.

so the strawberries decompose quickly on your front lawn. setting aside the issue of scavenging animals, who is liable for the error? is it you in a "buyer beware" situation? is it the company for not providing better authentication or calling you up to confirm (defeating the point of e-commerce), or is it in some strange way the mail servers who are liable?

You might respond that you system is just for communication, not for e-commerce. Fine, but we need something that is for e-commerce, so we need to keep looking.

PKI a pain in my arse

[aleph+]

My only interaction with PKI has been in buying certificates for SSL web servers. But even in such a limited domain I have several complaints, which I imagine are probably shared by other admins:

Getting a certificate is slow (may take several weeks) and expensive (~$100/year), making it prohbitive to small organizations and individuals. Only capital rich organizations should have encryption is the moral of that story!

The technology is too complicated. Installing a cert is a pain, and riddled with unneccessarily complex encryption jargon. All I want is a secure web server, but to get it I have to learn about a variety of different certificate and key formats.

The browser makers (who distribute the top-level certs) operate a functional cartel with the certificate companies (Verisign, Thawte etc), to prevent real competition for certficate producers. You need to be in the club to get your certs distributed, and hence recognized by browsers.

The certificate companies have no interest in providing certificate granting authority certificates. For example, suppose I'm a large organization such as a University, and I want the right to grant certificates for departments, units and individuals within my organization (on the grounds that I, the bureaucracy have the tools to authenticate their identities). Even though the technology permits this -- I could have a certificate granting certificate, issued by one of the cert. companies. It won't happen. The reason being that the cert companies have no incentive to give away their primary business asset -- the right to create certs.

So my response is this: Lets push for PGP as the new infrastructure. It is inherently devolved, because if you have a PGP key you automatically have the right to sign someone elses key -- everyone can be a certificate authority. PGP could be bundled with web browsers and email software, along with a few central PGP keys (such as verisign and thawte). Then we could really start building that web of trust.

Re:An informed, yet biased reply

[boots@work]

Read Schneier.

Attackers won't get in by defeating smartcard antitamper mechanisms any more than they get in by brute-forcing DES today. Even when the cards are perfect, there will be gaping holes in the system.

Consider for example a smartcard reader connected to a Windoze box and used to authenticate network connections. Why bother breaking the card when you could just take over [sourceforge.net] the machine once authentication is complete?

That, and DECSSS-style stupidity [wirednews.com] inside the cards should mean that hackers of all varieties will continue unimpeded.

Privacy however... now there's a problem.
--
Martin

Not outdated - unworkable.

[Howl]

It's not about PKI being outdated - it's more about it being unworkable in the real world. PKI is not a bad structure for identifying devices. The basic model works when my gateway wants to know if that really is my mail server it's talking to.

Where it doesn't work is when you try and bind keys to people (as the author points out). This is, in part, because people don't (can't) secure their private keys. It's also in part because the whole concept of identity is fuzzy. Identity theft is trivially easy and so it's simply not possible to create a CA that can really prove or disprove identity.

Add to that the simple fact that security based on "something you know" has never been reliable due to the propensity to share the secret and PKI becomes doomed. Moving to a "something you have" system (eg smart card) helps but now we're back to proving the device we're taking to not the user of the device.

In summary - All trust is relative - PKI assumes that absolute trust is possible and so does not work in the real world.

--

Trust vs Risk

[martin]

Well looks like Bruce Schneier's latest book is still correct.

The cryto guys do security based on trust and come with the X.509 certs etc.

The traditional comp sec guys always use risk assessment to implement security policies. IE the trust no-one, but look at mittigating risks of trusting some(one/thing).

Thats why X.509 never took off, trust is not a good thing in comp sec - just look at the M$ security model which is based on trust and regularly show 'issues'.

PKI for open commerce.

[DaveHowe]

I must admit, the arguments are convincing - but unfortunately, the assumptions he makes initially are wrong, so it follows that the arguments are against a straw man.
The problem is, he seems to build an argument that an absolute online identity is needed, worldwide. What it *really* comes down to is this:

• Sellers want to know they will be paid for their goods
• Buyers want to know they will actually receive the goods they have paid for

Neither of these need an absolute identity check -
if you walk into a shop, do you need a passport and driving licence to buy a shirt? no, you only need money.
If you order something not currently in stock, do you expect to see the current books, proof of lease on the shop, and other forms of ID for the business? no, you make a general assessment of the odds of the shop staying in business - or pay by credit card, and rely on being able to claim back the cash if they get stung.

These same factors map well to the internet - and if you are going to have an ecommerce - orientated, hierachical trust system, the obvious candidates for top level CAs are the credit card companies themselves. AE are already moving to epidermal payment (one shot credit numbers for a single transaction) and could easily offer prepaid cards that do the same thing (in much the same way mobile phone companies can sell prepay cards for their phone service). yes, it would be possible to have each and every transaction tracked and logged as no other system of commerce has ever done before - but why do we need it?
--

Re:PGP is not the answer

[DaveHowe]

And how, exactly, is the fact that your buddy down the hall in the dorms has signed your key going to do anything useful, like, for example, give you access to the items on electronic reserve at the library that have been purchased for the use of only engineering students?
It won't - but a web-CA bought cert won't either. The correct solution for this case is for the head librarian to generate a CA key, and sign the keys of each new year's intake. That way, one key expires every year (taking the leaving students auths with it) and one new one is created each year (which is what you point out further down the chain).

In this case, you are certifying something different than the story covers - you aren't certifying the identity of the user, you are handing him an access key to a resource you control.
In theory, the Web of Trust is a long term, distributed solution to the Identity problem. In practice, it would require Perfect Users (ones that never certify incorrectly, never lose control of their own key and never attempt to obtain a false certification for personal gain) and those are a bit thin on the ground...
--

Re:An informed, yet biased reply

[Ektanoor]

"The other benefit here is that with physical smart cards, private key theft is nearly impossible. (The only exploits I know of involve physical access, and LOTS of equipment beyond the reach of the average skript kiddie)"

Again the ingenuosity comes up... LOTS of equipment? And what skript kiddies are? They are nothing more than people using LOTS of equipment and software. Script cracking was born from the huge building of 25 years of computer cracking/hacking, when all this soft and equipment became able to be automatized. In fact a skript kiddie knows nearly nothing about the inners of the system or software it exploits. He uses the huge knowledge database hackers/crackers left and the huge level of automatisation script languages give. Nothing more.

One may think that dealing with hardware will be harder for kiddies. Are you sure of this? Are you really sure? Today some of the electronic infrastructure for smart cards systems costs only a few tens or hundreds of bucks. And already today people break, crack, rip codes from magnetic strips, chips and other stuff. Besides there are serious problems on doing security. Sometimes people try too much on doing authentication and leave other things completely untouched. Once a physical key was broken in less than 15 seconds just because the developers decided that a "if key exists then do_everything_else" would suffice.

20 years ago many people would give their hand on defending the capacity of 56 bit DES. Where we are today? Magnetic stripe cards are not a problem for ATM thieves. Even if they are 10 years old are able today to get into. Like the Kalashnikov AK-47, modern computerings gave a universal weapon for everyone. The only problem is time and a few bucks in the needed moment...

PGP is not the answer

[john@iastate.edu]

Assume I work for an organization, say, a large midwestern university, where we want to deploy a public key infrastructure.

...if you have a PGP key you automatically have the right to sign someone elses key -- everyone can be a certificate authority

And how, exactly, is the fact that your buddy down the hall in the dorms has signed your key going to do anything useful, like, for example, give you access to the items on electronic reserve at the library that have been purchased for the use of only engineering students?

On the otherhand, a central authority has the information to issue certificates that the rest of the official organizational structure can make use of.

And so, you either:

1. download a customized browser with the campus certificate authority certificate pre-loaded, or
2. click a link to install the CA certificate,

and voila you are in business.

And your certificate based on this CA will, in all likelyhood accepted on campus, but this is probably a feature. When wider use of user certificates comes, and it will if the fedgov gets their disintermediation efforts off the ground, then more widely accepted root CAs will proliferate (I'm guessing credit card companies, and all levels of government).

And that's where I think the problems will really start -- it'll be just like my meatspace wallet which has am absurd number of vertification tokens in it, and knowing which you can use where and when and just carrying them all around gets cumbersome.

What would be convenient, but which gives many of us the willies is a single national certificate which can have various endorsements added to it, so if I present it to a site, they can search it for the endorsement or endorsements they want to see, but I as a simple minded user (and that's the most common kind) just 'hand them my papers'.

Re:US Government thinks it's a good idea. 'nuff sa

[HiThere]

Actually, I fear that Gore may be even more in favor of this kind of thing than Bush. That's why it was so hard to finally decide to vote for him. Gore is in favor of big government. Bush is in favor of big business. None of them were in favor of me. The whole damn election revolved around which of the two is more disgusting. If you hated them approximately equally you ended up voting for Nader. I sure wish that the president needed to be elected by a majority rather than by a plurality.

Caution: Now approaching the (technological) singularity.

Re:Not outdated - unworkable.

[daveman_1]

Yes, I very much agree with what you say here. I was getting at the idea that individual users have a hard time abstracting the idea of how encryption works and why they need to keep their keys secret. Furthermore, getting them to simply encrypt certain items of importance worth securing is far too difficult at present to be considered seamless. Probably one of the last things I need is to have someone calling me with a problem like "I have six months of research on my computer. I tried to pull my private key off of my floppy disk to retrieve my data, but it says the disk isn't formatted..." There are just too many pitfalls currently. I think a solution to a lot of the problems I have mentioned need to start at the level of applications being worked with, supporting a higher level of integration of the concept of encrypting files, thus making the process as simple as loading and saving, with perhaps the addition of a passphrase to unlock the private key from your flash memory stick... Something along those lines could work. But yes, there are other problems with PKI as well...

Re:PGP is not the answer

[HiThere]

Convenient for who? Just how are you proposing that the item you wish to send gets authenticated? I'm not claiming that PGP is the answer. But I sure don't like the idea of a centralized authority. Just consider what such a mild form of centralization as DNS authentication has done in less than two decades. (I'd say less than one, but I don't know their history.)

The essence of PGP is definitely the right way to go. When you get you account, you get a key that allows you to detect that messages actually come from the account giver. When you are ready you dialog with the account giver to create a "handle" that has the opportunity to become trusted, e.g. MyFreshmanEnglisAssignme... excessive verbage deleted
Caution: Now approaching the (technological) singularity.

Re:philosophy of cryptology

[alienmole]

I wonder however, why it is so important to a bunch of technocrats such as ourselves that the common man be able to enact these transactions unconsciously.

The answer to this is obvious: there is a class of person ("common" or otherwise) for whom acquisition of material wealth is the overriding goal of the game of existence. The only way to acquire large amounts of such wealth is to obtain it from large numbers of the "common man", i.e. "consumers". In order to do this most efficiently, it is necessary that consumers be separated from their money by as few clicks of the mouse as possible.

Based on this analysis, of course, it is clear that Amazon.com with its one-click patent can be said to have won this game. Nevertheless, the game continues to be played vigorously, since acquisition of wealth appears to be one of the most motivating games ever conceived.

BTW, are paragraph breaks considered a po-mo no-no?

PKI and the realworld!

[BurgerOZ]

I have a little experiance here in the IPSEC arena, and the company that I was previously workin for has decided to waste a heap of cash building a place to house a CA becuase of this initial IPSEC delve. The basic problems - in the real world - that I see is that whilst PKI/X.509/LDAP are rattified IETF standards - the way that the CA vendors (Entrust, Verisign, Baltimore etc) build their CA's for use is way too commercial. In Australia, we have a "set of rules" set up for Cert use with the government called "Gatekeeper". Gatekeeper is the baseline that CA whom propose to sell/sign cert's to the AU-Government *must* adhear to - such as physical security, IP security, On-Site security etc. (BTW: If you don't have "Gatekeeper" approval does NOT mean you can't sign keys! But that is another story relating to trust of the key provider) None the less, the most difficult item that I see is that the CA vendors all do things differently for themselves. It is possible to build a CA with basic equipment and some basic software - pay an upstream trust for a CA cert and Bingo - you have a CA! Now, if you want to sign SSL certs - you have to buy the SSL module and (and with some configs - the extra client software). If you want to use a cert to sign S/MIME - you buy another module - you want to encrypt files.. you buy another module and so on and so forth.. Basically - like Ethernet of the old days, whilst there is a BASIC idea of HOW PKI works and a framework for use - even the CA vendors havent got it "open platform". It is very hard to get unlike CA software to intracommunicate! Oh.. yea - Australia Post (National postal network) built their own CA software - they *should* have had the best platform due to their unique nationwide RA possibility - but it died in the arse - they shouldn't have written their own software! You would have to be mad to be all things to all men in this market! Dont build your own - buy someone elses!

Good Enough?

[StormyMonday]

The author is saying that complete trustworthyness is unobtainable.

Duh!

There is no magic pixie dust that you can sprinkle on e-commerce (or anything else, for that matter) to make it "secure". You'll have a hard enough time just defining what "secure" really means for a given application.

The real question is, "is it good enough?". You are the only one who can answer that. Is what you are buying appropriate for your application?

One very big red flag is your comment that you are contemplating a "considerable investment". Sounds like somebody is trying to sell you a trainload of snake oil. The basics of PKI are not that complicated.

Personally, I'll trust a CA when they agree to be liable for consequential damages, ie, "We agree to pay any damages you've suffered caused by your reliance on our certificates". I'm not holding my breath.

--

Re:philosophy of cryptology

[Lohgra]

Sorry about the paragraph breaks. ;) I forgot to set it to 'plain old text.'

Well what you said explains why the Amazonian dot com people should care if PKI is "An Artefact Ill-Fitted to the Needs of the Information Society."

But we're not them. What do most /.ers care if the .com retail monopoly crumbles due to security flaws? I think a lot us might be sort of happy about it, in a sick, Dr. Strangelove kind of way.
POE and all that.

I think that we /.ers largely care about the system intellectually, like Wyndham Lewis says: "machines are our favorite game, we invent them and hunt them down."

Re:You're right - the world needs SPKI.

[Meowing]

SPKI/SDSI is quite a the nifty way to deal with some notoriously hairy auth problems that traditional hierarchical PKI never really satisfied. Unfortunately, people seem to have difficulty in understanding it, and that in itself is a problem. In some ways it doesn't much matter that a system is adequately secure if its users can't see why they should be able to trust it. Maybe it does just take implementing the thing and letting time take its course, but that's not very much fun.

Big Brother

[QuantumG]

Authority is bad mmmm 'k.

hierarchical PKI is doomed..

[sommerfeld]

I've been working in security/authentication/PKI related areas for close to 15 years. The paper is entirely correct that a hierarchical PKI is doomed to failure because it implies a One True Root which everyone trusts.

I believe that what eventually will to evolve is a whole bunch of little problem-domain-specific public-key infrastructures, some of which will use x.509 certificate formats, some of which won't. pgp, ssh, secure dns, etc, all "do their own thing" and provide a public key infrastructure to attempt to solve the piece of the problem they care about without getting tangled into the morass of hierarchical PKI which caused Privacy Enhanced Mail (PEM) to sink without a trace..

An informed, yet biased reply

[Halo-]

I work writing code for one of the major players in the PKI space. Without mentioning any names, or making any plugs, I would advise you to think longand hard about what you are trying to accomplished with PKI and why. A lot of the existing products on the market are more interested in domination of the market, and less on being the transparent (if elaborate) infrastructure PKI was designed to be. PKI should be as dependable and transparent as any of the other internet "specs" when done right. Of course, history has shown that nothing is ever that simple, just look at the wars being fought over Java or the ones over HTML (which have died down to some extent.) PKI works well for those who are willing to suffer the pains of being an early adopter. Micro$oft and Netscape browsers don't parse certs the same. (Sadly, I have to admit that M$ is ahead in this area.) The major vendors often have interperated the specs just differently enough to make interoptability a major problem. My advice is to find a product which fits your present needs, and seems to offer the flexibility to expand into the future. The flexibility is going to require a willingness to play nicely with others and to intergrate with existing apps. Stay away from total end-to-end solutions. You are not looking for a "structure" but an "infra-structure". For all the complexity, PKI is likely to become much more wide spread due simply to the demand being placed on the internet by cooperations. IPSec and smart cards are becoming a reality, and the best way to manage those is PKI. The other benefit here is that with physical smart cards, private key theft is nearly impossible. (The only exploits I know of involve physical access, and LOTS of equipment beyond the reach of the average skript kiddie) As PKI becomes more widely deployed, it's providers will be force to become more standardized or get out of the game. Just like with the Web, early adopters had a lot of headaches with different browsers HTML parsers, image formats, etc... but these days those issues have mostly been dealt with, and the early adopters now have a stronger business because of longer term involvement in the medium.

Re:Considerable investment?

[daveman_1]

The problem with PKI is deployment. Not cipher strength.

US Government thinks it's a good idea. 'nuff said

[wufpak]

The US Government is making a major investment in PKI. Which, if past experience is any guide, means that this is yet another instance of "building yesterday's solution to today's problems tomorrow." Remember GOSIP?

13

[Anonymous Coward]

reasons to dump PKI [connotech.com]

Re:hierarchical PKI is doomed..

[Anonymous Coward]

It's absolutely not true that there is only one true root in PKI. There are many roots - go take a look in your browser. You're free to not trust them if you don't like them. Corporations who deploy PKI internally usually have a browser distribution with their own root installed.

One alternative

[NearlyHeadless]

Instead of having each mail user have their own key, which is a lot of trouble, have the mail servers communicate with each other, and with mail clients, using TLS (i.e. SSL).

There is already some support for this from a few mail clients (mostly incomplete), and from a few mail servers.

In some ways it is not as secure as the end-to-end encryption of a complete PKI solution. You have to trust the mail servers to not be compromised. But it is a lot less expensive.

Also, companies generally would like to be able to read their employees official communications even if they don't want any random person to intercept plaintext.

Security isn't the only concern.

[acidblood]

While reading the "Intro to Cryptography" document included with PGP, its concept of PKI made much more sense to me (the "Web of Trust" model.) Of course, within a company (that is, if all certificates are created and kept inside the company) most likely X.509 and Web of Trust are equally useful. The decision, then, falls outside the security realm and into cost and implementation concerns.

Re:Big Brother

[Demona]

The greatest danger in PKI is that legislation will be passed to enforce the end of the flowchart from the lawyer's perspective: "Lie on X.509, go to jail."

You're right - the world needs SPKI.

[Paul Crowley]

Yes, the whole hierarchical X.509 approach was doomed from the start and needs to die. What the world really needs is the Simple Public Key Infrastructure, SPKI [std.com]. This provides a way to generate certificates which transfer trust between keys in various sorts of highly flexible, controllable ways. Read the SPKI docs and you'll be converted to our religion; your whole view of naming, and of the role of a PKI, will change.

SPKI is the public key infrastructure that can actually achieve what it promises, because it doesn't have a root certificate that only God could properly hold. It's the ideas of PGP's Web of Trust taken to their logical conclusion. And it is simple, and neat, and easy to understand. Everyone interested in the problems with PKI should look into it.
--

Bunk.

[Anonymous Coward]

The paper is really hugely inflammatory.

Either Clarke generalizes problems to all deployments of PKI, or he blames PKI for wider 'security is just plain hard' problems.

Here's some examples:

• In 3.2 he describes a long list of proposed requirements to prove identity. This is interesting, but avoids the plain fact that proving identity is not only a problem for PKI. Besides, many corporate implementations of PKI issue building-access badges to users with similar proof-of-identity requirements. Is it too much to ask to issue a smartcard at the same time? No, institutions do this today.
• He claims that PKI implies one trusted root. Wrong. Look in your browser for about 30. You can decide to trust or not trust each of them. You can add new ones.
• He claims that conventional PKI has a string of restrictions which are basically choices made by the implementor of a particular PKI deployment. Out of this list, I have only ever seen 3:
  1. "a certificate that expressly claims to 'bind' the key to a person" - this depends on how well the RA authenticates the user. An intrinsic problem with any organization issuing credentials - not just PKI.
  2. little or no choice as to who will issue the token - This is understandable, since the PKI group in an organization will typcially have determined the most appropriate security class of tokens for the deplyoment.
  3. Little or no choice in the organisation from which the individual acquires a certificate - again, up to the individual deployment.
  All of the other items are plain not true. And any organization who does keygen on behalf of a user is plain dumb.
• In 4, he claims that it's possible to steal keys by breaking into a server. Again, that's up to the deployment. We recommend that keys are stored on hardware tokens. Plain and simple. Most devices do not provide for a facility to remove a key from a hardware token.
• "Private keys are susceptible to a vast array of risks, both of capture, and of invocation without the authority of, or even knowledge of, the consumer/citizen. - bunk. Plus, the rest of the paragraph doesn't really support this sentence anyway.
• In 5, he says that the Name Space has to be well managed and requires cooperation of different entities. Not true. Thawte and Verisign did not have to cooperate before because they had different roots. This is a point he doesn't seem to understand at all.
• dot, dot, dot ...

There are many ways to set up a PKI. You can set up a PKI with any or all of the problems Clarke cites. That would be the wrong way

With a little more work, his paper could have been a very constructive HOWTO, to inform the reader how to set up a good PKI. However, he just rants on about problems, none of which are unique to PKI, without providing the solutions, most of which are well known.

His paper should be titled "Pitfalls to avoid when setting up a PKI".

Re:An informed, yet biased reply

[BlackStar]

I would venture that PKI will indeed be a major player, as you say, and for a very simple reason that the paper's author seems to at least partially ignore. People don't always want or care about anonymity. Before you say "What the *@#% is this clown talking about?", ask of yourself:

Do you have a credit card?
Do you have an airmiles card or a "club" card?
Do you have a bank account with services attached to it for auto deposit and/or withdrawl?
Do you have a driver's license?
Do you have a listed phone number?

All of these are certificates of a form. All of these tie our person into a bank of information somewhere. All of these "corrupt" our privacy. Do you think the telemarketers are lucky at guessing your name? :-)

PKI represents another certificate in these veins, and a way to make them more network-friendly and less susceptible, as Halo- says, to simple mass impersonation and replication. Of course it isn't anonymous, and there is a privacy hole. How else do I know who you are? A perfect privacy system would allow a group of innovative individuals to put a fictitious character though university and get a degree, as long as they are consistent. Attaching a real entity to the identity of the certificate is sometimes a needed thing.

The issue in my mind is that, as has been occuring on the web of late, that the consumer has at least nominal control of that information. The collecting body may only use it in the scope of the transaction and within the confines of the business I am dealing with. It may not be sold, leased, loaned or given to any other party without my express permission.

In Canada, we have a "stored Census" database. That information may only be used to compile and prepare voter's lists. You may also opt out of that. It saves us on the order of $30 million Canadadian per election. I imagine the US would save a lot more. If you pick a distinct winner that is :-)

Ulitmately, the majority of people are probably fine not being anonymous entities, as long as the priviledge of having their information is not abused. I'd concentrate on the behaviour and responsibilities of the corporations collecting the information rather than needing a perfect system to replace the PKI. At least on the practical front.

2 cents. No change.

PKI is dead. Long live SPKI.

[thermal_noise]

The PKI movement has been riddled by ita own complexity ever since its beginning.

The problem with PKI is that it depends on a common trusted root, and a global namespace. It is also hampered by crude certificate revocation methods.

There is a movement towards a simpler PKI, SPKI, which addresses all those isues. Of course, there will be need for co-operation between about the both approaches.

See Carl Ellison's page [std.com] for more great info, especially a thorough comparison of approaches [std.com].

Postmodernity is critical of consumerism?

[ahfoo]

Postmodernity is critical of consumerism? I beg to differ.
This is always the difficulty when using such commonly misused terms. I like to think of postmodernity as a reference to a period in history. That is, a time period. According to this way of thinking, both the prefix "post" and the "modern" part of the term seem to make good sense. Using the word in this way, even those who despise the humanities can have a clear referece as to what is being discussed.
The precise demarcations of this boundary call into question the nature of precision and boundaries as useful concepts, but that's part of the fun of it. What is clear though, is that the postmodern era has clearly been an era in which rampant consumerism has surpassed all previously conceived limits and continues to gain momentum.
Indeed, it could be argued that the technology which has defined postmodernity is built on metaphor of consumption without limit. Think of the hard drive ad . . . on a clean disk, you can see forever!
The constant consumption of ever more bandwidth and CPU cycles is further evidence that postmodernity has never stopped to question consumerism. In fact, leading consumption to ever more extreme excess is the defining movement of postmodernity.
To assume that just because some wannabee trendy-journal-scouring artists in New York call their re-cycled sentimental surrealist crap "postmodern art" implies postmodernism qustions consumerism is misguided. This kind of abuse is one of the reasons that many people get turned off as soon as they see such terms being thrown around.
And as far as public key cryptology goes, it will be useless to keep information confidential once we have all been assimilated into the borg collective. Now that is where postmodernity is joyfully leading us and that is why slashdot readers deserve better than to have such important terms abused.

use within organisation

[mr hee]

the conclusion of the paper was "...the time has now come to recognise the inherent deficiencies of X.509 architectures, abandon attempts to impose them on open, public systems, and restrict their use to within organisations that have strict hierarchical structures." Seems that use would be acceptable if an independend organisational hierarchy is implemented.

Re:Outdated?

[techwatcher]

Being "out of date" here has nothing to do with it; the issues are based on what approach is used. Various approaches must be based on distinct underlying concepts behind privacy/encryption.

If you read the article -- especially towards the end, where the author discusses alternatives -- you learn that the danger discussed lies in the association of one specific ID to one specific person/entity. This is compounded by having keys held by single, hierarchical, authoritarian entities (thus available in principle to gov't agencies/commercial entities).

Rather than attempt to reduce risk by this approach, the author recommends a more realistic approach such as that implemented (however well or badly) by PGP: Use a "degree of risk" assessment, and facilitate multiple, decentralized assignments of person/entity to various semi-secure ID's.

The article makes me sad, because one of my battles in everyday life is to try to bring together the disparate aspects of my "self," but I fully understand why I probably should utilize multiple "nyms" if I want both to post stuff in forums like this, and be employed again at some future time! Until we live in a more trustworthy society, I am probably safer (i.e., more viable as an economic organism) with multiple identities. sigh....

Re:Bunk.

[Anonymous Coward]

He claims that PKI implies one trusted root. Wrong. Look in your browser for about 30. You can decide to trust or not trust each of them. You can add new ones

Which was to say, the problem is the hierachy wherein trust runs only linearly. Also, the thirty are still just multiple examples of the 'one trusted root'.

I can get a Verisign cert, or Thawte, or.... and if I present to you a signed / 'certified' check for a million $'s, would you agree it was genuine? I wouldn't.

Besides, many corporate implementations of PKI issue building-access badges to users with similar proof-of-identity requirements. Is it too much to ask to issue a smartcard at the same time? No, institutions do this today.

Absolutely, and that's not the problem. I believe the point was that the verification criteria differ widely. Then, given any cert/ID you do not have control over which attributes are presented. Prove your age, sir? Sure: Here's my name/address/key-usag/email/credit-limit....

I'm not a super-privacy zealont, but we both know that even if this information is mostly ignored, it will not change the basic fact that you cannot not present it. Whether it's a PKI-only issue or not is immaterial: He's not saying it's a PKI only issue - he's saying it's a problem with PKI - you're arguing that it isn't. Subtleness kills.

little or no choice as to who will issue the token - This is understandable, since the PKI group in an organization will typcially have determined the most appropriate security class of tokens for the deplyoment.

> Problem being the someone else part - you seem to assume they automatically know best. It's not unthinkable that someone made a poor decision, possibly in retrospect, and that you want higher security than they designed. Do you now put your ever-so-slighly-insecure smart cards within a 'secure wallet' that protects up to 5 smart cards of your choie? The whole reason we're disigning something, such as PKI, is that someone else had not been able to come up with a, to us, satisfactory solution.

And any organization who does keygen on behalf of a user is plain dumb.

Two things: You think it's dumb? So do I. But you'd be amazed how seldom dumb ideas have failed to take off.

I can give you a list of at least 5 banks that I personally have spoken to on this matter, and they are very interested in this. Yes, that would be using an HSM which is highly secure ..... So, they have my money. And, they store my key. Great. If you're in the UK, think about the RIP bill and it's impact on that key storage too.

In 4, he claims that it's possible to steal keys by breaking into a server. Again, that's up to the deployment. We recommend that keys are stored on hardware tokens. Plain and simple. Most devices do not provide for a facility to remove a key from a hardware token.

The point is that there is no way of telling how securely the key is/has been stored. Therefore, you, trusting a particular key, becomes slightly wobbly.

"Private keys are susceptible to a vast array of risks, both of capture, and of invocation without the authority of, or even knowledge of, the consumer/citizen. bunk. Plus, the rest of the paragraph doesn't really support this sentence anyway.

If we just look at the bit you used then... Are you saying there are no risks? I think that there are a number of risks, which goes back to the concept of total trust that the author cites as a basic flaw that he is not happy with.

Most people know they should read the fine print before signing something - because they know that putting a signature on a piece of paper means something.

Most users can't tell if the iKey they just stuck in their USB port was just used to log on, sign the email they wanted to sign or do something else. Of course, this can be helped, but only if there is a trusted computer/device in between - which is one of the central arguments in the papers. There isn't - at least not yet. It has to be practical too, not just techie-explainable.

In the end, you can get a lot of mileage out of a PKI, but you have to make many ssumptions. Assumptions can be dangerous.

re:that's not what I was talking about

[Lohgra]

It seems to me that you are the one confusing your terms. PostmodernITY is of course not critical of consumerism because it is constitued by the consumerism. But I used the term PostmodernISM. This -ism, whether or not it is appropriately termed 're-cycled sentimental surrealist crap,' had its roots in art and has extended into discussions about ethics, culture and the human race. It is comprised of an acknowledgement of the disintigration of certianty entailed by new technology, consumerism, and consumer culture, and a reaction paired to that acknowledgement. It starts with the question, "what do we do in/about postmodernity," not with the statement "postmodernity is good."

Likewise, modernISM was critical of the victorian and romantic elements of modernITY. What you have done in your post is to conflate the time period with the intellectual reaction to it, confusing the -ITY with the -ISM.

If this seems like yet more 'wannabee trendy journal scouring' to you, let me put this in more easily understandable terms. The shift from the authoritative, absolute trust of SKI to the relativism of PGP is part of a larger trend of a breakdown in certainty that occured in many forms of thought in this century. This breakdown occures because every system that attempts to establish certainty is somehow flawed on its own terms.

Internet conumerism requires a great deal of certainty to be practical, so the intellectuals orchestrating the system for the masses who will use it without understanding it must therefore choose between a flawed system or one that does not support consumerism for these masses.

When you announce "where postmodenity is leading us" you are correct. But as you say Postmodernity is 'after'-'modern,' and in fact a result of the intellectual movement of a modernISM reacting against modernITY. It is fair criticsm, however, that I have been ambiguous by using the word 'Postmodern.' What I should have said is 'Postmodernist.'

PKI - a small part of the security solution.

[gatekeeper-eu]

Even if PKI were to be a satisfactory solution for the protection of transmitted information, as a concept and less in its implementation, its main value is to instill a falce sence of security amongst sysadmins and users alike. The current vogue for solving public crypto problems seems to reinforce the idea that cryptography is an end in itself. Information in the public domain informs us that EVERY electrical and electronic item radiates energy in the electromagnetic spectrum. This radiated energy can easily be intercepted either directly (in the case of a VDU) with a high gain, directional antenna, a television receiver and $50 spent wisely at Radio Shack or indirectly on any conducting medium. One does not require "every computer on earth processing for 1000 years to break xxx crypto system" when the information one requires access to is to be found on the hdd of computers to be found in the garbage skip of almost any organisation or corporation one could name. In the days when Mainframe and mini computers were the norm, computer scientists, engineers and programmers unfortunately coined the phrase "Computer Security" when they meant data security, in reality 'Data Integrity' this lack of clarity has lead to almost but not complete activity in the real security field and a belief amongst end users that 'secure data processing' is something that it is not. The truth of the matter is that then as now the principal interest of the computing community is in having the first, the fastest. the biggest, the most reliable, the biggest bang for the buck, etc. Any consideration of the security of information is an afterthought usually in the form of a material or software band-aid. I am not just talking about the PC on which you are reading this comment but also the most sophisticated systems at the highest level and in the most secret parts of any government. As an engineer I can understand the concerns of the designers and engineers about crosstalk, signal to noise ratio and many, but nowhere near all of the other factors to be considered in the creation of a computing platform but is information security the fundamental consideration? No, of course it isn't and why? because information security is not a fundamental and the primary consideration of governments and corporations large and small - not even corporations involved in the provision of security to others at great cost to the recipient and profit to stock holders. PKI like any other product which purports to enhance security is nothing more than the computing version of the Band-Aid and like the Band-Aid we place over a wound is no guarantee of protection from infection because the flora and fauna on the skin is already under the Band-Aid.

Outdated?

[daveman_1]

How does something that is so incomprehensible that most people look at me with a confused look on their face when I even say "PKI" be outdated? It is as the name implies, infrastructure for security purposes. I wish it were a bit less cumbersome, but there just doesn't seem to be an easy way to roll out this type of security. Please, if someone has a better idea, let's hear it!

More brain dead linking

[ideut]

Why does Taco have an inability to link properly? The words "a substantial failure" are the content of his <a&gt element. The hyperlinked words should reveal the meaning of the object being linked to. You shouldn't just link three random words from the blurb. That's silly.