From mboxrd@z Thu Jan 1 00:00:00 1970 From: William Ahern To: 9fans@cse.psu.edu Subject: Re: [9fans] pop3 before smtp Message-ID: <20030711144643.GA26212@wilbur.25thandClement.com> References: <20030710212155.6079.qmail@g.bio.cse.psu.edu> <200307102150.h6ALol704789@augusta.math.psu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200307102150.h6ALol704789@augusta.math.psu.edu> User-Agent: Mutt/1.5.4i Date: Fri, 11 Jul 2003 07:46:43 -0700 Topicbox-Message-UUID: f5f299fe-eacb-11e9-9e20-41e7f4b1d025 On Thu, Jul 10, 2003 at 05:50:47PM -0400, Dan Cross wrote: > > | What is needed is a distributed PKI. > > > > But why? It seems easy enough to use use private keys, and a nice > > protocol like SRP. > > Well, the typical reason given is that you end up with this n^2 key > distribution problem. PKI (in theory, at least) solves that via > signature chains. Shared secret key systems like Kerberos have > attempted to solve this with authentication hierarchies, but while > e.g. Kerberos has proliferated, the hierarchial authentication > component hasn't. > > I don't understand this talk of `distributed PKI' though; isn't the > whole idea of a PKI that it's distributed to begin with? Supposedly we > have that; it's just never really worked all that well. Because for many things, especially when you get into generic web services, you don't need a hierarchy of _trusted_ certificate chains that you can trace. All you really care is that the same client who visited you yesterday is the same one doing a follow-up today. Or maybe that you were redirected to service XYZ, and you need a high degree (not absolute) of probability that the service XYZ you are talking to is the one you were meant to be redirected to. Not to mention its pretty much requisite to build any significantly sized trust metric system. If I'm in a corporation, then a hierarchical system is normative. But in the rest of the world, why do I care if some capriciously chosen entity vouches for the _name_ (not identity) of some web site? - Bill