[LINK] slashdot: PKI

[rsedc@urgento.gse.rmit.EDU.AU]

Someone here gonna be slashdotted.

        <http://slashdot.org/article.pl?sid=00/11/11/1517235&mode=thread>

        Is The Public Key Infrastructure Outdated?
        Encryption | Posted by CmdrTaco on 00-11-11 11:17
        from the something-to-think-about dept.

Some thoughtful comment there:

        He claims that PKI implies one trusted root. Wrong. Look in your
        browser for about 30. You can decide to trust or not trust each of
        them. You can add new ones.

I have the same opinion a few years ago. The idea of a single or a
small number of monolithic Certification Authorities was pre-browser
era that is dead. Netscape broke that single-handedly by forcing a
'flat' collection of CA structure in the browsers and enable the
end-users to add new CAs if they trust them. So every person and his/her
dog can be CAs. The PKI software toolkit developers follow the model and
now many non-browser softwares involving PKI also use the same model.
Furthermore, X.509 has cross-certification allowing CAs to certify one
another 'at the same level' without a higher common root CA. Thus if X.509
and the Netscape model are pushed to the extreme, where every person
is a CA, this approaches the PGP's web of trust. The real situation
will be somewhere in between. There is no point bashing a dead horse.

The commentor also correctly noticed that many of the complains
from the paper are government preferences or implementation issues,
not X.509 standard issues. I can recall off-hand that X.509 leave the
question of key-pair generation open whereas Roger seemed to complain
about that under the X.509 heading.

But watch out for the quality of some of the somments :)

e.g.  
        Hell, I implemented a 512-bit version of DES for a computer
        project at Sarah Lawrence College (my school) last year.

--
David Chia, RMIT University