Difference between revisions of "Public Key Infrastructure"
From MgmtWiki
(→Solutions) |
(→References) |
||
Line 17: | Line 17: | ||
==References== | ==References== | ||
+ | |||
[[Category:Glossary]] | [[Category:Glossary]] | ||
[[Category:Identity]] | [[Category:Identity]] | ||
+ | [[Category:Cryptography]] |
Revision as of 16:19, 18 April 2019
Full Title or Meme
An industry built up around Assurance of the Identity of Entities on the internet using X.509 Certificates and Public Key Cryptography.
Context
- The Public Key Infrastructure was build up to support the CCITT X.509 Certificate which was designed by the monopoly telephone companies to continue their existing business model of charging a recurring fee to customers who had no choice in the matter.
- The idea that a X.509 Certificate should have a limited life-time made sense for the telco, but no sense what-so-ever for a Relying Party who wanted to check a signature, that might have been made at some time in the past when the certificate was valid, but theoretically is invalid at the time the signature was checked.
- Lots of work-arounds were devised for the limitations of PKI, but they all involved extraordinary complexity that made life difficult for anyone that wanted to implement the technology.
- One of the last work-arounds was to introduce Online Certificate Status Protocol (OSCP) which at least got rid of the necessity for certificate revocation lists, a hold over from the 1950's credit card deployments.
Problems
- Enterprises were willing to tolerate the pain introduced with PKI, but not a signification number of Users that could not be compelled to submit to the pain.
- Problems have been known for a long time[1]
Solutions
- The basic business model of selling Trust for money can never work in a capitalist economy. Any standard causes a race to the bottom. PKI should be abandonded, but the problem is proposing a workable solution that is financially sound as well as a secure expresseion of Trust is not known in late 2018.
- FIDO U2F will put a Trust token in the hands of users, but does not help the bigger problem, how to Trust the Web Site Identity.
References
- ↑ Robert A. Grimes, 4 Fatal Problem with PKI. (2015) CSO https://www.csoonline.com/article/2942072/security/4-fatal-problems-with-pki.html