Comment Re:PGP != PKI (Score 1) 103
"Traditional PKI" is like saying Retro Quantum Computing. The problem (and I'm agreeing with you) is who do you trust? Since the Internet is global, you can't put things in the hands of any one government, nor is anyone likely to trust a private enterprise i.e. Verisign. I also doubt that any educational institute would be that trustworthy.
So what's the solution? I'm not sure, perhaps some kind of a G8 type group commissions a non-profit organization to sign and distribute keys. It could be audited quarterly by several other private (non-profit) companies and perhaps the member governments themselves. This could, in effect, create a de facto standard for key distribution and trust relationships. Then you open up the can of worms that is private key storage. That's beyond the scope of this thread!
The current PKI model is for each organization to have their own PKI and to establish trust relationships with other organizations. I doubt that has the staying power when you introduce the consumer into the mix. The problem is implicit trust doesn't work. i.e. If I trust Alice, and Alice trusts Bob, doesn't mean I should trust Bob.
Why can't we use implicit trust? The same reason we don't allow other countries to do our diplomacy for us. We may now be establishing good trade relationships with China, and Taiwan may trade with us, but China and Taiwan (if you acknowledge Taiwan's sovereignty) aren't likely to trust each other. If you require explicit trust relationships the required peering would be ridiculous. You'd wind up with the "n-squared" problem from hell. I agree though, there has to be something better than PGP but for now, baby steps may be the best approach.
-DS
So what's the solution? I'm not sure, perhaps some kind of a G8 type group commissions a non-profit organization to sign and distribute keys. It could be audited quarterly by several other private (non-profit) companies and perhaps the member governments themselves. This could, in effect, create a de facto standard for key distribution and trust relationships. Then you open up the can of worms that is private key storage. That's beyond the scope of this thread!
The current PKI model is for each organization to have their own PKI and to establish trust relationships with other organizations. I doubt that has the staying power when you introduce the consumer into the mix. The problem is implicit trust doesn't work. i.e. If I trust Alice, and Alice trusts Bob, doesn't mean I should trust Bob.
Why can't we use implicit trust? The same reason we don't allow other countries to do our diplomacy for us. We may now be establishing good trade relationships with China, and Taiwan may trade with us, but China and Taiwan (if you acknowledge Taiwan's sovereignty) aren't likely to trust each other. If you require explicit trust relationships the required peering would be ridiculous. You'd wind up with the "n-squared" problem from hell. I agree though, there has to be something better than PGP but for now, baby steps may be the best approach.
-DS
