Difference between revisions of "Public Key Infrastructure"

Revision as of 16:19, 18 April 2019

An industry built up around Assurance of the Identity of Entities on the internet using X.509 Certificates and Public Key Cryptography.

The Public Key Infrastructure was build up to support the CCITT X.509 Certificate which was designed by the monopoly telephone companies to continue their existing business model of charging a recurring fee to customers who had no choice in the matter.
The idea that a X.509 Certificate should have a limited life-time made sense for the telco, but no sense what-so-ever for a Relying Party who wanted to check a signature, that might have been made at some time in the past when the certificate was valid, but theoretically is invalid at the time the signature was checked.
Lots of work-arounds were devised for the limitations of PKI, but they all involved extraordinary complexity that made life difficult for anyone that wanted to implement the technology.
One of the last work-arounds was to introduce Online Certificate Status Protocol (OSCP) which at least got rid of the necessity for certificate revocation lists, a hold over from the 1950's credit card deployments.

Enterprises were willing to tolerate the pain introduced with PKI, but not a signification number of Users that could not be compelled to submit to the pain.
Problems have been known for a long time^[1]

The basic business model of selling Trust for money can never work in a capitalist economy. Any standard causes a race to the bottom. PKI should be abandonded, but the problem is proposing a workable solution that is financially sound as well as a secure expresseion of Trust is not known in late 2018.
FIDO U2F will put a Trust token in the hands of users, but does not help the bigger problem, how to Trust the Web Site Identity.

@@ Line 17: / Line 17: @@
 ==References==
 [[Category:Glossary]]
 [[Category:Identity]]
+[[Category:Cryptography]]