The problem that PKI is intended to address is
trust. I can trust what you say if
someone I trust authorises what you say.
It really is that simple to say, and at the same time fiendishly
complicated to implement correctly.
It may surprise you to know that we've been doing PKI
since the end of the 19th century, in the role of Justice of the Peace. This is a person who will witness a signature
on an official document. The receiver of
the document trusts that the document is genuine as they trust the JP, and the
JP saw you sign it.
However just like current PKI problems, there are
identical problems in the 19th century version.
When I had a legal document witnessed at the local public library, the
JP had no way of validating that the form I was signing was genuine. He also made no effort to validate that what
I signed was really my signature, nor that I was the person referenced on the
form - which makes sense as there is no way he could have done that anyway.
What he asserted is that a real person made a real mark
on a real piece of paper. Everything
else is covered by laws against fraud.
And this has worked for more than 100 years, and continues to work
today.
If we used current PKI to do only this - assert that a
real computer made a real communication at a definite time, everything would be
fine. But we don't. We want to know which computer, and so ask
questions about identity, and then act surprised when the implementations fail
us.
PKI is the answer.
It's the question that's wrong.
Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
