EU Draft Digital Signature Directive

[Ian Brown]

> I suspect that funamental issues as to the nature of identity on-line
> will have to be answered. Communication with pals is ok, but surely the
> point of public key encryption is that more becomes possible.

Agreed: but in subtle ways that are usually missed by the stampede to put
in place some kind of global PKI.

If I communicate on-line with friends, I obviously want to be sure I am
talking to the same individuals I know physically. The best way to do this
is physically exchange keys (or fingerprints) when we meet.

Why would I want to talk to someone electronically whom I'd never met?
Perhaps I've read some particularly thought-provoking posts they've made to
a mailing list. As I said, I then want to talk to the person who made those
posts. Their name is *irrelevant*. Or perhaps a friend has recommended I
talk to individual x by e-mail. Again, the name of x is irrelevant: I want
to talk to the individual my friend recommended. In that case, I need a
certificate from my friend (whose key I already have a secure copy of)
saying "the person I call x has key 0x841B6E6" 

This is quite a fundamentally different way of working than a small set of
global CAs creating (name,key) certificates for every individual on the
planet. Not only would that be a grossly inefficient way of working: as we
have seen with TTPs, it presents a big fat target for governments to
attempt to subvert toward their own ends.

A distributed naming system is much better, for ergonomic *and* liberty
reasons.

Ian.