Re: [9fans] pop3 before smtp

[William Ahern <william@25thandClement.com>]

On Thu, Jul 10, 2003 at 05:50:47PM -0400, Dan Cross wrote:
> > | What is needed is a distributed PKI.
> >
> > But why?  It seems easy enough to use use private keys, and a nice
> > protocol like SRP.
>
> Well, the typical reason given is that you end up with this n^2 key
> distribution problem.  PKI (in theory, at least) solves that via
> signature chains.  Shared secret key systems like Kerberos have
> attempted to solve this with authentication hierarchies, but while
> e.g.  Kerberos has proliferated, the hierarchial authentication
> component hasn't.
>
> I don't understand this talk of `distributed PKI' though; isn't the
> whole idea of a PKI that it's distributed to begin with?  Supposedly we
> have that; it's just never really worked all that well.

Because for many things, especially when you get into generic web services,
you don't need a hierarchy of _trusted_ certificate chains that you can
trace. All you really care is that the same client who visited you yesterday
is the same one doing a follow-up today. Or maybe that you were redirected
to service XYZ, and you need a high degree (not absolute) of probability
that the service XYZ you are talking to is the one you were meant to
be redirected to.

Not to mention its pretty much requisite to build any significantly sized
trust metric system.

If I'm in a corporation, then a hierarchical system is normative. But
in the rest of the world, why do I care if some capriciously chosen
entity vouches for the _name_ (not identity) of some web site?

- Bill