bye bye ViaCode

Pete Chown 1 at 234.cx
10 Jun 2002 09:49:46 +0100 

Adrian Midgley wrote:

> You have met our central (key) management?

I suppose if it's incompetent, that's a reason to do your own!  A better
solution would be to fix the central system, but perhaps that's not an
option in the NHS... :-)

> I don't see that if someone is careless to the extent that I wouldn't trust 
> their signature on another key (something I can reflect in how I use my 
> software) that I can rely on their key having been kept secure ater it is 
> issued by the central authority.

That's true, but you can still make that decision if the key is issued
centrally.  Most of the people I know who would fall into that category
would be happier with a paper document anyway.  You know, because they
can only read electronic copies on the days when their computer doesn't
have a virus...

> I'd like to know that notes made and sent to me cannot be repudiated, and 
> that notes I send to someone else cannot be read before they get there.

But surely you get that with a centralised key management architecture,
and with a lot less work too.

> Right.  But I think the assumption is that if I get a request to encrypt your 
> notes against a key for Dr J Smith Darlington Memorial Casualty Dept, and 
> send them to the address given, that I am going to _trust_ that this person 
> is fit and proper, and of course that this key is theirs and nobody else's.

I think I see where you're coming from here.  The point is that -- in
practice if not in theory -- the CA is going to override your normal
judgement.  At the moment, if you get a request for someone's details
that seems a bit odd, you ask for more details or refuse.  With a PKI in
place, it's harder to refuse.  People won't understand the difference
between you believing that the request is from Dr Smith, and you
believing that the request is acceptable in all respects.  (Of course if
Dr Smith is incompetent you might suspect that his key has been stolen,
in which case the request might not even be from him.)

I'm not sure how you solve this one.  With a WoT, someone might have
certified Dr Smith's key without trusting him as an introducer.  So Dr
Smith's key could come up as trusted, even though no one expressed trust
in Dr Smith as a person.  The only statement they made was that they had
seen evidence to the effect that Dr Smith's key was X.

(BTW, how do the NHS keep keys safe?  Do they use hardware modules or
just store the keys on the relevant computers?  If the latter, stealing
large numbers of keys probably wouldn't be too hard.)

-- 
Pete