DIgital Signatures

Ben Laurie ben at algroup.co.uk
Mon, 31 Aug 1998 00:51:35 +0100 

Carl Ellison wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
>    From: "Brian Gladman" <gladman@seven77.demon.co.uk>
>    Date: Sun, 30 Aug 1998 12:21:02 +0100
> 
>    There have been a useful exchange of views on this list over recent days
>    on the issues of bringing digital signature technology into widespread
>    use.  An important aspect that many of the posts have clarified is that
>    there are two central issues of principle in gaining confidence in
>    (cryptographic) digital signature primitives:
> 
>         [... -- two kinds of binding between keys and people ]
> 
> I am connected to my ISP via SSH, as I read this, and I used public key
> authentication to do that connection.
> 
> I remember thinking, as I connected using a digital signature, that the
> whole PKI technology issue may be hype.  If we started with individual
> applications, as Tatu did with SSH, would we ever have come up with a need
> for an identity-PKI?  Would we even have come up with a need for
> authorization certificates (ala SPKI)?  Our needs may have been met for a
> long time, just by PGP key signing and hand delivery of keys, with
> keys in an ACL the way SSH does it.
> 
> Of course, I'm not sure I believe that -- but the thought did hit me and I
> thought I'd share it.

It isn't so mad. In practice, I trust a few PGP signatures, a couple of
public CAs (but only in the sense that I believe that their failure to
perform would be very bad PR for them) and a couple of private CAs. The
private CAs could just as easily be PGP signatures, snag is the
technology (SSL) doesn't permit that. The PGP signatures belong to
people I trust to keep their keys private and sign sensibly, and the
public CAs don't count (I have to use them, but I don't _really_ trust
them). So, yes, I don't need PKI. Not right now, anyway.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/