>From a business point of view I am equally happy selling symmetric key, KDC >type approaches as PKI. In point of fact I am currently co-chair of a working >group that is developing a symmetric key protocol. However there are very few security advantages in the KDC model (e.g. resistance of symmetric key crypto to quantum cryptanalysis), plenty of security disadvantages (much more limited hardware support, not possible to apply same separation of duties controls) and some really serious operational constraints. >From a historical point of view it is certainly true that we probably made a >mistake in the original conception of PKI as making the KDC model obsolete. A >synthesis of the two approaches would have been much more valuable. In >particular if SSL had supported kerberos ticket like capabilities from the >start. We later added KDC type capabilities to PKI with protocols like XKMS >and OCSP. But the argument here strikes me as little more than an emacs/vi contest. Regardless of the technical infrastructure you employ you still have to map the network identifiers to real world identities. And that is an excercise that requires expense and consistency and attention to detail and is as boring as sin for the people actually doing it. Proposals to do away with commercial PKI come in two flavors. The first is technological magic which is founded not on a misunderstabing of the problem but a complete failure to understand that the problem exists. The second is the open source effort objection which is pretty much as viable as an open source effort to do people's tax returns for them.
________________________________ From: Masataka Ohta [mailto:[EMAIL PROTECTED] Sent: Wed 11/07/2007 5:04 AM To: Eliot Lear Cc: Douglas Otis; IETF discussion list Subject: Re: PKI is weakly secure (was Re: Updating the rules?) Eliot Lear wrote: > What I was referring to was > Ohta-san's implication that PKI is fundamentally flawed. Perhaps it is, Perhaps. Though my statement so far is PKI is not strongly secure, it implies that you can choose from equally secure design alternatives. See below. > but I don't see anything better for key distribution to millions of > people. If you, he, or anyone else comes up with something better, I'm > all ears. Though I'm not so sure about your requirement, if you need fairly secure key distribution mechanism over the Internet, KDC, not CA, based schems such as Kerberos, is better than PKI. Though KDCs require real time communication, it's free over the Internet. Moreover, because key distribution is in real time, key invalidation is instantaneous without complex mechanisms such as CRLs. That is, you can shutdown spam site instantaneously. Or, as you are trying to create a new key distribution network from the beginning, it should be easier to create a new mail distribution network from the beginning where mails are allowed only between pre-recognized bodies. A very good property of this approach is that we don't need any cryptography nor new protocol. Just have a list of IP addresses of thousands or tens of thousands of root mail servers and set up our mail software to accept mails only from them or our own proxy and send mails only to them through proxies registered to a root mail server or two or three... Setting up a new mail network is hard but, IMHO, much easier than setting up a new PKI. Though neither of the above protect us spams from cracked accounts, we are not annoyed by delays with CRLs. Of course, CAs, ISPs, KDCs and root mail servers are not very trustworthy but they should increase the cost of spammers. Masataka Ohta _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
