trust issues associated with Public Key Infrastructure?
am 10.08.2006 15:32:43 von JohnnyWhat are the trust issues associated with Public Key Infrastructure?
Thanks,
Johnny.
Re: trust issues associated with Public Key Infrastructure?
am 10.08.2006 18:27:34 von Volker BirkJohnny
> What are the trust issues associated with Public Key Infrastructure?
The main issue is: how can you trust, that the public key you have really
is from the person you want to communicate with?
There are two different ideas for that topic: certification authorities
(with i.e. SSL/TLS, S/MIME) and the web of trust (i.e. OpenPGP).
For more information I'd suggest you to read the Wikipedia articles
about these topics.
Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.
Ralph Angenendt in debate@ccc.de
Re: trust issues associated with Public Key Infrastructure?
am 10.08.2006 20:48:03 von Johnny>> What are the trust issues associated with Public Key Infrastructure?
>
> The main issue is: how can you trust, that the public key you have really
> is from the person you want to communicate with?
>
> There are two different ideas for that topic: certification authorities
> (with i.e. SSL/TLS, S/MIME) and the web of trust (i.e. OpenPGP).
Are the following PKI trust issues?...
CAs could issue certificates without checking owner identity
CAs could deliberately issues false certificates
Private keys could be disclosed by accident or on purpose
False certificates could be inserted into browsers
How to know that a revocation request is genuine (possible denial of service
attack)
Checking revoked certificates requires another secure channel
Liability issues for false or misused keys
Source:
http://66.249.93.104/search?q=cache:1F9DMPETzvgJ:www.unb.ca/ pstnet/pst2005/Shaughnessy%2520Room/oct14/Josang-PST2005.ppt +trust+issues+PKI&hl=en&gl=uk&ct=clnk&cd=19
Thanks,
Johnny.
Re: trust issues associated with Public Key Infrastructure?
am 10.08.2006 23:02:39 von Volker BirkJohnny
> Are the following PKI trust issues?...
> CAs could issue certificates without checking owner identity
> CAs could deliberately issues false certificates
> Private keys could be disclosed by accident or on purpose
> False certificates could be inserted into browsers
Yes.
> How to know that a revocation request is genuine (possible denial of service
> attack)
This I would discuss distinct from the rest.
> Checking revoked certificates requires another secure channel
I don't think so. You can use the same PKI for revocation certificates,
too, that you're using for the rest.
> Liability issues for false or misused keys
This is another topic, I think. What are you expecting here, BTW? Is
this a homework? ;-)
Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.
Ralph Angenendt in debate@ccc.de