Difference between revisions of "Public Key Infrastructure"
From MgmtWiki
(→Context) |
(→Solutions) |
||
Line 15: | Line 15: | ||
*The basic business model of selling [[Trust]] for money can never work. PKI should be abandonded, but the problem is proposing a workable solution that is financially sound as well as a secure expresseion of [[Trust]] is not known in late 2018. | *The basic business model of selling [[Trust]] for money can never work. PKI should be abandonded, but the problem is proposing a workable solution that is financially sound as well as a secure expresseion of [[Trust]] is not known in late 2018. | ||
*[[FIDO U2F]] will put a [[Trust]] token in the hands of users, but does not help the bigger problem, how to [[Trust]] the [[Web Site Identity]]. | *[[FIDO U2F]] will put a [[Trust]] token in the hands of users, but does not help the bigger problem, how to [[Trust]] the [[Web Site Identity]]. | ||
− | + | ==References== | |
[[Category:Glossary]] | [[Category:Glossary]] | ||
[[Category:Identity]] | [[Category:Identity]] |
Revision as of 15:13, 8 September 2018
Full Title or Meme
An industry built up around Assurance of the Identity of Entities on the internet using X.509 Certificates and Public Key Cryptography.
Context
- The Public Key Infrastructure was build up to support the CCITT X.509 Certificate which was designed by the monopoly telephone companies to continue their existing business model of charging a recurring fee to customers who had no choice in the matter.
- The idea that a X.509 Certificate should have a limited life-time made sense for the telco, but no sense what-so-ever for a Relying Party who wanted to check a signature, that might have been made at some time in the past when the certificate was valid, but theoretically is invalid at the time the signature was checked.
- Lots of work-arounds were devised for the limitations of PKI, but they all involved extraordinary complexity that made life difficult for anyone that wanted to implement the technology.
- One of the last work-arounds was to introduce Online Certificate Status Protocol (OSCP) which at least got rid of the necessity for certificate revocation lists, a hold over from the 1950's credit card deployments.
Problems
- Enterprises were willing to tolerate the pain introduced with PKI, but not a signification number of Users that could not be compelled to submit to the pain.
- Problems have been known for a long time[1]
Solutions
- The basic business model of selling Trust for money can never work. PKI should be abandonded, but the problem is proposing a workable solution that is financially sound as well as a secure expresseion of Trust is not known in late 2018.
- FIDO U2F will put a Trust token in the hands of users, but does not help the bigger problem, how to Trust the Web Site Identity.
References
- ↑ Robert A. Grimes, 4 Fatal Problem with PKI. (2015) CSO https://www.csoonline.com/article/2942072/security/4-fatal-problems-with-pki.html