Public Key Infrastructure

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

An industry built up around Assurance of the Identity of Entities on the internet using X.509 Certificates and Public Key Cryptography.

Context

  • The Public Key Infrastructure was build up to support the CCITT X.509 Certificate which was designed by the monopoly telephone companies to continue their existing business model of charging a recurring fee to customers who had no choice in the matter.
  • The idea that a X.509 Certificate should have a limited life-time made sense for the telco, but no sense what-so-ever for a Relying Party who wanted to check a signature, that might have been made at some time in the past when the certificate was valid, but theoretically is invalid at the time the signature was checked.
  • Lots of work-arounds were devised for the limitations of PKI, but they all involved extraordinary complexity that made life difficult for anyone that wanted to implement the technology.
  • One of the last work-arounds was to introduce Online Certificate Status Protocol (OSCP) which at least got rid of the necessity for certificate revocation lists, a hold over from the 1950's credit card deployments.

Problems

  • Enterprises were willing to tolerate the pain introduced with PKI, but not a signification number of Users that could not be compelled to submit to the pain.
  • Problems have been known for a long time[1]

Solutions

  • The basic business model of selling Trust for money can never work in a capitalist economy. Any standard causes a race to the bottom. PKI should be abandonded, but the problem is proposing a workable solution that is financially sound as well as a secure expresseion of Trust is not known in late 2018.
  • FIDO U2F will put a Trust token in the hands of users, but does not help the bigger problem, how to Trust the Web Site Identity.

References

  1. Robert A. Grimes, 4 Fatal Problem with PKI. (2015) CSO https://www.csoonline.com/article/2942072/security/4-fatal-problems-with-pki.html