Public Keys and the Web Page.

Nicholas Bohm nbohm at ernest.net
Sun, 20 Jun 1999 16:27:54 +0100 

At 01:27 PM 6/20/1999 +0100, David.Goodenough@dga.co.uk wrote:

>The problem that this does not address is the one asked on this list some
>months ago, which was that I can be confident that my credit card details
>are only visible in two places , assuming I have a nice strong 128 bit SSL
>pipe, i.e. here and the other end:  The question is, where is the other
>end?  To put it another way, if it goes wrong, who do I sue.

In the case of credit cards, sue the card issuer.  That's what the banking
system is there for, and trying to invent a PKI to replace it is liable to
be wasteful.

>This mechanism provides little checking that the organisation at the other
>end is who they say they are and that they are an identifiable legal
>entitiy that you could sue.  This problem is actually worse if the key
>changes frequently, as you do not even have the reasurance that it is the
>same one as last time, it would provide a perfect cover for the interloper
>as the key would be expected to change.

This may argue for a longlife signature key which verifies a succession of
shortlife confidentiality keys.  The signature key (or rather its
fingerprint) could appear in the owner's corporate literature, letterhead,
business cards, trade directories, etc, etc, providing a multiplicity of
channels too hard to spoof at any tolerable cost.

This makes revocation difficult, like changing a telephone number.  But it
may be that making revocation difficult is less of a problem than letting
machines rely on the the certificate revocation lists of a PKI, which may
themselves be vulnerable to sophisticated corruptions.

Regards,

Nicholas Bohm

Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK

Phone		01279 871272	(+44 1279 871272)
Fax		01279 870215	(+44 1279 870215)
Mobile   	0860 636749  	(+44 860 636749)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF