1995-10-05 - Re: Certificate proposal

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: 4ad8caa9e78b5039bcdd877e4b158a66cb0a5ce8cc68faab12dcc642878dafa5
Message ID: <199510051924.MAA25839@jobe.shell.portal.com>
Reply To: <9510021553.AA13756@tis.com>
UTC Datetime: 1995-10-05 19:25:49 UTC
Raw Date: Thu, 5 Oct 95 12:25:49 PDT

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Thu, 5 Oct 95 12:25:49 PDT
To: cypherpunks@toad.com
Subject: Re: Certificate proposal
In-Reply-To: <9510021553.AA13756@tis.com>
Message-ID: <199510051924.MAA25839@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


(...WAY behind in cypherpunks mail...)

Carl Ellison <cme@TIS.COM> writes:
>Let me propose an alternative unique name: the public key (or a good hash
>of it).  The public key has an advantage over both X.509 and PGP names.
>The binding between it and its human being is testable.  You can challenge
>the human in question to sign something.

I don't understand this whole discussion.  A certificate is a signed
binding of a key and a unique name, right?  If the proposal here is
that the unique name be a hash of the key, you are suggesting a signed
binding of a key with its hash!  What is the point of a certificate
which binds a key to its hash?  What is such a certificate asserting?
It seems to be saying nothing at all.  Anybody can already tell if a
hash is right, for all the good that does you.  It's like a notarized
statement that 2+2=4.  I don't see the point.  As Carl goes on to say:

>Assuming you use a public key as the unique name, you end up with a much
>simplified certificate.  In fact, the notion of "certificate" may go away,
>in the sense that the certificate binds a key to a person through a unique
>name.  The person binds himself to his key, on challenge (or on any message

If in fact this is just a suggestion that we not have certificates, that
may have some value.  But as a literal suggestion that certificates bind
a key hash to a key, that just doesn't make sense to me.

The thing to keep in mind is, why do we want certificates?  Why not just
use unsigned keys?  If I encrypt a message for Carl based on some key I
found lying around somewhere which someone told me is his, and I send it
to his mailbox, and I get a reply back, how secure is that?  We all know
that you don't get the full security of the encryption if you do this.
Man in the middle attacks might not be easy to do in such a situation but
they are certainly possible.  It is such attacks that certificates (including
PGP key signatures) are designed to prevent.

I'd like to see some grounding of this discussion in terms of the role of
certificates, and ways to prevent man in the middle attacks.  I certainly
have no love for facist worldwide ID cards and hierarchical, organization
based naming schemes, but just using any old key because it seems to work
OK most of the time isn't going to fly IMO.


Version: 2.6