pki
Roger Clarke's 'PKI as Mis-Fit'
Conventional
Public Key Infrastructure:
An
Artefact Ill-Fitted to the Needs of the Information Society
Roger
Clarke
Principal,
Xamax
Consultancy Pty Ltd, Canberra
Visiting Fellow,
Department
of Computer Science,
Australian
National University
Prepared for submission to the 'IS in the Information Society' Track of the
Euro.
Conf. in Inf. Syst. (ECIS 2001), Bled, Slovenia, 27-29 June 2001
Version of 13 November 2000
©
Xamax Consultancy Pty Ltd, 2000
This document is at http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html
Abstract
It has been conventional wisdom that, for e-commerce to fulfil its
potential, each party to a transaction must be confident about the identity of
the others. Digital signature technology, based on public key cryptography, has
been claimed as the appropriate means of achieving this aim. Digital signatures
do little, however, unless a substantial 'public key infrastructure' (PKI) is
in place to provide a basis for believing that the signature means something of
significance to the relying party.
Conventional PKI, built around ISO standard X.509, has been, and will continue
to be, a substantial failure. This paper examines that form of PKI
architecture, and concludes that the reason for its failure is its very poor
fit to the real needs of cyberspace participants. Its key deficiencies are its
inherently hierarchical and authoritarian nature, its unreasonable presumptions
about the security of private keys, a range of other technical and
implementation defects, confusions about what it is that a certificate actually
provides assurance about, and its inherent privacy-invasiveness. Alternatives
to conventional PKI are identified.
Contents
1.
Introduction
2.
The Perceived Need
3.
Conventional Technology
3.1
Digital Signatures
3.2
Public Key Infrastructure
3.3
The X.509v3 Standard
4.
Deficiencies in Conventional PKI
4.1
The Hierarchical Model of Trust
4.2
Private Key [In]Security
4.3
Technical and Implementation Weaknesses
4.4
The Limited Assurance Actually Provided
4.5
Privacy-Invasiveness
5.
The Critical Need for Nyms
6.
Alternative Models of Trust
6.1
PGP's 'Web of Trust'
6.2
SPKI/SDSI
6.3
Stefan Brand's Alternative Certificates
6.4
Reputation and Brand
6.5
Trust Management
7.
Conclusions
References
1.Introduction
There has been a perception that the adoption of e-commerce has been
significantly slowed because, in cyberspace, buyers don't trust unidentifiable
sellers. Digital signatures, and the mechanism that supports them, Public Key
Infrastructure (PKI), have been touted as the solution to the problem. Despite
quite some years of development, however, each step forward with PKI seems to
create a set of new sub-problems.
Meanwhile, a range of other impediments to net-consumer trust of cyberspace
merchants has been identified
(Clarke
1999c), and PKI has been criticised on both technical grounds (e.g.
Ellison
and Schneier 2000) and privacy grounds (e.g.
Greenleaf
& Clarke 1997). This paper examines PKI from a broader perspective, by
relating its features to what the Information Society really needs.
The paper commences by stating the trust problem as it was originally
perceived, and describing the currently conventional technology that has been
applied in an endeavour to solve it. Major problems with that solution are
then identified, in the areas of its hierarchical nature, key insecurity,
technical and implementation deficiencies, its failure to provide useful
assurances to net-users, and its privacy-invasiveness. The paper concludes
with an explanation of the critical nature of 'nyms', and a brisk assessment of
alternative approaches to achieving trust which offer better prospects for
meeting the real needs of the Information Society.
2.
The Perceived Need
The commercial potential of the Internet became apparent only in the
mid-1990s. Wired Magazine, launched in October 1994, claimed that its
Hotwired
venture was the first commercial web-site
(Clarke
1999c), although Pizza Hut has also staked a claim to that mantle
(Hobbes
1990-).
From an early stage, the conventional wisdom was that e-commerce, in comparison
with purchasing in a physical location like a shop, lacks the important comfort
factor of seeing who you're dealing with, or at least being able to see the
merchant's physical 'foot-print'. It was therefore postulated that successful
commerce on public networks would be dependent on some other means of
establishing trust.
A leap was then made to the conclusion that trust would need to be based on a
mechanism for the identification of parties who deal on the net, supplemented
by authentication mechanisms to test the assertions of identity. A recent
expression of this is that "Fundamentally, electronic commerce involves the use
of remote communications and therefore necessitates all parties involved to
authenticate one another ... [because] the parties will not at the time of
transacting have face to face dialogue"
(McCullagh
A. & Caelli, 2000).
Moreover, the demand for identity was presumed to be two-sided, i.e. not only
would the merchant or services-provider identify themselves to the consumer but
consumers would also identify themselves to sellers. It is unclear whether
this was a conscious assumption, and if so whether it was based on an analysis
of merchant behaviour, or was merely a pretext for the creation of exploitable
trails of consumer behaviour. Either way, it represents a significant
compromise to what have hitherto been to a considerable extent anonymous
transactions.
3.
Conventional Technology
This section provides a brief overview of the key technologies that have
enabled engineers to address the perceived problem described above.
During the 1980s, public key (or 'asymmetric') cryptography had emerged.
Public key cryptography involves two related keys, referred to as a 'key-pair',
one of which only the owner needs to know (the 'private key') and the other
which anyone can know (the 'public key'). Because only one party needs to know
the private key, it does not need to be transmitted between parties, and hence
it need never be exposed to the risk of interception. Knowledge of the public
key by a third party, on the other hand, does not compromise the security of
message transmissions (Diffie & Hellman 1976, Schneier 1996). For a
tutorial treatment, see
Clarke
(1996).
The following sub-sections introduce the key application of 'digital
signatures', and then the infrastructure on which they depend. The dominant
form of public key infrastructure is then outlined and interpreted.
3.1
Digital
Signatures
Digital signatures are a particular application of public key cryptography.
A digital signature is a block of data that is generated from a message prior
to its despatch, and is appended to it. The block is prepared by a two-step
process:
a 'message digest' is created by processing the actual message using a
pre-agreed one-way hash algorithm; and
this message digest is encrypted with the sender's private key.
The recipient re-creates the message digest from the message that they
receive, uses the sender's public key to decrypt the digital signature that
they received appended to the message itself, and compares the two results. If
they are identical, then:
the content of the message received must be the same as that which was
sent (assuring message content integrity);
the message can only have been sent by a sender that had access to the
private key (providing a means of authentication); and
the sender cannot credibly deny that they sent it (addressing the need for
non-repudiability of messages).
This paper concerns itself with only the second of these, the use of a
digital signature to authenticate something about the message-sender.
Digital signatures were naively presumed by many people to provide unqualified
assurance. In practice, however, the effectiveness of the mechanism is
dependent on a number of conditions, in particular:
a third party must have checked that the private key is in the possession
of the appropriate party;
that third party must be trustworthy;
the private key must be subject to strong security measures, such that no
other party can ever gain access to it or invoke it;
the public key used must be the appropriate one, and not one provided by
an imposter;
a significant number of infrastructural elements must all be in place and
functioning effectively, and their security not compromised; and
means must be established of discovering when a private key has been
compromised, of issuing notices revoking keys and associated certificates, and
ensuring that revocation is rapidly and reliably transmitted to all who need to
know about it, without generating vast network traffic, access contention and
slow service.
3.2
Public
Key Infrastructure
Digital signature schemes depend on the public key of the message-sender
being available to the recipient. The most practicable methods of achieving
this are:
senders can include their public keys in each message;
senders can store them on a site of their own that is readily accessible
(e.g. using FTP or HTTP); or
public keys may be stored in one or more centrally managed directories,
enabling each party to an exchange to look up the public key of the other
party.
All of these approaches are subject to 'spoofing', i.e. an imposter can send
a message that includes a public key, or store a public key in a readily
accessible directory, and thereby fool the other party into thinking the
message came from a particular person or organisation.
To address this risk, the concept was created of a 'certificate' that attests
to the fact that the particular public key is associated with a particular
party. (The technical literature uses the term 'is bound to' rather than 'is
associated with'. Many readers would infer from that term a far stronger form
of association than the technique actually warrants).
More precisely, a 'certificate' is a digitally signed, structured message that
asserts an association between specific data and a particular public key. An
'identity certificate' is then a particular class of certificate that
associates a particular identifier with a particular public key. (It will be
argued later in this paper that the term 'identifier' should really be replaced
by 'nym'). Regrettably, most of the literature uses the term 'certificate'
ambiguously, to refer to both certificates generally and identity certificates
in particular, despite the fact that the differences are extremely important.
According to conventional thinking, a certificate needs to be created by a
trusted 'public key certification authority' (CA). A CA digitally signs each
certificate using its own private key. In most schemes, the certificate is
provided to the party that claims the particular key to be its own. That party
then includes it in the messages that they send. A message with a CA's
certificate attached therefore functions in a manner analogous to a letter
applying for a job being accompanied by a letter from a referee attesting to
something about the applicant, such as their identity, their good character,
their experience, or their qualifications.
A CA needs to undertake some form of authentication process in order to satisfy
itself that the claimed association actually exists. A conventional approach
is to depend on the services of a Registration Authority (RA), such as a Post
Office. A comprehensive process would require the person with whom the key is
to be associated to undertake all of the following:
present themselves at the RA's premises;
provide physical evidence of the characteristic claimed. This would
typically involve 'photo-id', and documentary evidence of (for example) age,
qualifications and/or professional membership, supported by a documentary trail
evidencing the use of the relevant identifier(s) over a period of time
(including, for example, marriage certificate or deeds poll);
provide the public-key;
provide evidence that they are the holder of the private-key (e.g. by
signing a message in the presence of the RA);
provide evidence that they have the private-key secure;
nominate a contact-point; and
nominate a delivery-point for the certificate.
The security of private keys is vital to the whole process, but is capable
of being compromised. Some mechanism is therefore required to record and
provide access to revocations of key-pairs and certificates.
3.3
The X.509v3 Standard
The dominant standard at present is the family of CCITT X.500 standards, in
particular X.509 (X.509 1988, 1997, and
Housley
et al. 1999). The current version of X.509 is number 3, usually referred
to as X.509v3, which was finalised in 1997. A set of standards, dubbed PKIX,
enables use of X.509 approaches within the web-context
(W3C
2000). Guidance has been provided by texts such as Ford & Baum (1997),
Adams & Lloyd (1999) and Austin et al. (2000).
Ellison
(1997) describes the history this way: "the X.500 proposal was published
[in the late 1980s]. It was to be a global directory of named entities. To
tie a public key to some node or sub-directory of that structure, the X.509
certificate was defined. The Subject of such a certificate was a path name
indicating a node in the X.500 database - a so-called 'Distinguished Name'.
The X.500 dream has effectively died but the X.509 certificate has lived on.
The distinguished name took the place of a person's name and the certificate
was called an 'identity certificate', assumed to bind an identity to a public
key ...". In short, X.509 was the hammer that came to hand when the nail was
discovered.
All forms of PKI necessarily involve some degree of intrusiveness, in order
that sufficient quality can be achieved. Conventional PKI, built around
X.509v3 certificates, is especially severe. Implementations commonly have many
of the following features:
a single key-pair per person;
a 'distinguished name' that is unique across a name-space that is in
principle vast, and in practice large, and that denies the opportunity for
pseudonyms;
a certificate that expressly claims to 'bind' the key to a person;
little or no choice in the manner in which the key-pair is generated;
in many cases, generation of the key-pair outside the control of the
person concerned, with the result that the private key is ab initio in
someone else's possession;
issuer-ownership of the key-pair, with individuals merely licensed to use
it;
little or no choice as to what token (such as a diskette or chip-card) is
used to store and carry the private-key and certificates;
little or no choice as to who will issue the token;
issuer-ownership of the token, with individuals merely licensed to use it;
and/or
little or no choice in the organisation from which the individual acquires
a certificate.
Current X.509v3 certificates go so far as to permit an agent of an
organisation to protect their personal identity through the use of a
role-title, but they actually preclude an individual (referred
to as a 'residential person') from having that capability. Moreover, some
implementations may preclude a residential person from possessing multiple
personal key-pairs, even though the same person is permitted to possess
multiple key-pairs for organisations that they represent.
Some schemes even involve the key-pair generation process being compulsorily
performed by some organisation on behalf of individuals, and compulsory storage
(or 'escrow') of the private key.
X.509v3 certificates provide a limited means for communicating attributes,
within the primary certificate or through the creation of secondary
certificates which may attest to one or more characteristics of the individual.
But the attributes are inherently linked to and dependent on the primary
certificate, which bears the individual's identifier.
The issuing of notice that a key-pair and certificate(s) have been revoked is
supported by an inefficient download mechanism called Certificate Revocation
Lists (CRLs - X509, 1988, 1997 and
Housley
et al. 1999). A more recent specification for an on-request look-up is
Online Certificate Status Protocol (OCSP -
Myers
et al. 1999).
4.
Deficiencies in Conventional PKI
This section presents a catalogue of problems with PKI based on the
underlying X.509 specification and its translation into Internet terms under
PKIX. The sub-sections address in turn its hierarchical and authoritarian
nature, insecurity of private keys, technical and implementation weaknesses,
the nature of the assurances that certificates actually provide, and the
serious privacy-invasiveness of such schemes.
4.1
The Hierarchical Model of Trust
X.509v3-based PKI is inherently hierarchical. This is because trust in the
CA is not automatic, and each layer of CAs needs to be attested to by some
superior layer. Conventional PKI therefore depends on one third party that is
partly but not entirely trusted, which in turns depends on another such partly
but not entirely trusted third party, which needs to be attested to by some
further superior layer. This results in an unholy spiral up to some mythical
authority in which everyone is assumed to have ultimate trust. Trust in the
real world has never worked like that, and trust in cyberspace won't either.
Such schemes can also be readily argued to be authoritarian in nature
(Clarke
1994b). For example, there is an intrinsic assumption that all parties
providing certificates are required to disclose their identity, even if the
only functional need is to communicate eligibility (e.g. their age,
qualifications, or agency relationship with a principal).
The further assumption is made that the 'distinguished name' has to be unique
within the 'name-space'. This precludes the second and subsequent, say Joe
Bloggs
(Clarke
2000b), from using their own name without some kind of qualifier. It also
provides no basis for individuals to use alternative identifiers, and
implicitly denies individuals the capability to have and use multiple
key-pairs, and multiple certificates. The engineers who created the X.509
standard appear to have been blithely unaware that multiple identities per
person are entirely legal in many jurisdictions, particularly those whose legal
systems derive from the United Kingdom
(Clarke
1994c).
4.2
Private Key [In]Security
Underlying digital signatures and PKI is the assumption that the holder of a
private key will be able to ensure its security. During the 1999-2000 period,
corporate servers have been subject to a rash of electronic
break-ins. The ease with which many of these have been performed have
demonstrated the serious inadequacy of the precautions taken by organisations
of all kinds and all sizes. Standards have been issued by governments (e.g.
TCSEC
1985,
ITSEC
1991,
Common
Criteria 1998), and guidance provided by text-books (e.g. Garfinkel &
Spafford 1997), but the degree to which organisations have applied the
principles is embarrassingly low.
To date, it does not appear that private keys have been a particular target of
the crackers. There are likely to have been multiple reasons for this, not
least the relatively small usage of private keys, and the fact that there have
been plenty of more attractive items of data to aim for. As and when private
digital signature keys attract more attention, it is reasonable to expect that
more attacks will be made, and that many corporate keys will be compromised.
Conventional PKI also assumes that consumers and citizens will have, and will
need to use, private keys. The author has recently supervised a project to
examine the scope for consumers to protect their keys within 'commodity
workstations', such as Windows, MacOS and Linux machines directly
connected to the Internet via commercial Internet access service providers
(Kaiser 2000).
There are many ways in which malware can be applied to discover, copy or invoke
private keys, in memory or on disk, even if they are protected by cryptographic
measures. The hardware and systems software of commodity workstations
currently provide very little in the way of security features. There is scope
for a variety of protective measures to be applied to private keys, including:
storage on diskettes, chipcards, rings, brooches, badges and dongles;
communication with the processor using directly-connected device-readers,
connection of the storage device directly into, say, a USB port, or wireless
transmission; and
invocation using passwords, pass-phrases and biometrics, perhaps using
ATM-style PIN-pads or biometrics-pads (see, for example,
Corcoran
et al. 1999).
Yet there are still very few products available that enable consumers to
graft such security features on to their work-and-play facilities, and such
products as exist require considerable expertise to install and configure.
Private keys therefore remain highly susceptible to a wide array of risks, both
of capture, and of invocation without the authority of, or even knowledge of,
the consumer/citizen. The context of use of digital signatures is such that
very little confidence can be placed in the meaningfulness and reliability of
authentication processes that depend on them.
4.3
Technical and Implementation Weaknesses
A range of problems have been identified with the technical design of
X.509-based PKI and with its implementation in real-world applications
(Ellison
& Schneier 2000).
Conventional PKI assumes either that there is a single global
name-space (i.e. world government, and a single, unique
identifier imposed on every citizen of the world), or that multiple name-spaces
exist, but that they inter-operate (and that each regional authority imposes a
single, unique identifier on every person under their jurisdiction).
There are difficulties in detecting that a private key has been subject to
compromise (i.e. unauthorised access or invocation). There
are further difficulties in implementing an effective revocation
process. This is especially serious if retrospective
revocation is permitted (i.e. notification to a set of recipients that
a private key had been compromised since some past time, and that the sender
reserves the right to repudiate transactions signed after that time).
Time-stamping is a critical aspect of revocation processes;
but it is not an assured, secure service.
Registration processes involve effort and expense, and are
onerousness and demeaning for individuals. As a result, schemes generally
compromise on registration requirements. Many ignore them almost entirely by,
for example, depending on some prior relationship between the person and the RA
or CA.
With some qualifications, X.509v3 architectures are designed to work within a
simplistic/militaristic 'absolute trust' view of security, rather than a
'risk-management' approach. On the other hand, actual implementations
generally compromise the design requirements, often severely. In particular,
most operational schemes have only one layer of CA, and the basis on which each
recipient of a message is supposed to trust those CAs is a
'self-signed' certificate, i.e. blind trust in the company, its
intentions, and its procedures.
A further serious concern is that many schemes fail to implement effective
revocation procedures, using either the CRL or OCSP
specifications.
The major implementations of X.509-based PKI, such as that based on the
Verisign certificates embedded in commercially-available web-browsers, are at
best 'relaxed' applications of formal X.509 standards, and hence the current
PKI is even less meaningful than that which would be feasible if it was applied
as intended.
The X.509 standards are long, rich, complex and imprecise, with the result that
interpretations of the standard are required, and many
variants, commonly termed 'profiles', exist (see, for example,
Gutmann
2000). Commercial applications are clumsy to implement, and considerable
difficulties and delays are experienced, even by skilled
technicians, in relation to the generation of keys, the acquisition of
certificates, and the management of certificates.
CAs deflect attention from the critical weaknesses of their registration
processes by drawing attention to the physical and electronic security of the
facilities that they use to generate the certificate. Yet
Ellison
(1996) long ago concluded that "if the bond between key and person is
broken, no layer of certificates will strengthen it. On the contrary, in this
case certificates merely provide a false sense of security to the [recipient]".
4.4
The Limited Assurance Actually Provided
A critical feature of schemes of this kind is the warranty and/or indemnity
provided by the CA to accompany the assurance. The CA needs to recognise
financial liability in the event that the assurance that the sender was indeed
who the sender purported to be transpires to be incorrect, and that a party's
reasonable dependence on the assurance resulted in economic cost. The wording
provided by web-browsers suggests considerable protection, e.g. "The signer of
the Certificate promises you that the holder of this Certificate is who they
say they are" (Macintosh Netscape Navigator 4.08).
Such bold assurances are, in practice, subject to a great deal of
qualification. CAs commonly express their procedures for associating
individual persons with online identities in 'Certification Practice
Statements'. These are often phrased, however, in ways that obscure rather
than clarify. Moreover, "The certification authority may establish different
classes of certificates with different prices and different degrees of scrutiny
applied in reviewing the application"
(Winn
1998). Meanwhile, CAs are very eager to phrase what are commonly termed
'Certificate Policy Statements' in such a manner that they minimise their
exposure to liabilities arising from reliance on the assurances that they
provide.
In any case, the concept of 'authentication' has been seriously misunderstood
by the designers of X.509-based PKI. Authentication is a process whereby a
degree of confidence is established in the truth of an assertion. There are
many kinds of assertions that can be the subject of authentication processes.
Among them are assertions of the form 'this artefact has a value equivalent to
so much of a particular currency', and 'the sender of this message has a
credential that attests to their eligibility to perform a particular
function'.
In order to discuss the real meaning of a certificate, some definitions of
terms are needed:
an entity is a real-world thing. A pallet, a package and
a widget are examples of real-world entities that are generally not relevant in
the current context; whereas a person, an organisation, and an artefact that
is capable of taking a relevant action (e.g. a hardware-server, a
software-server, a hardware-client, a software-client, a software agent) are of
direct relevance;
an identity is a defined and specific instance of a
specific entity (e.g. a particular person, organisation, computer or software
process, at a particular point in time). At any given time, each entity has
precisely one identity (but, because its experience and hence behaviour are
cumulative, its identity changes over time). An identity is also not capable
of being directly expressed as data;
a digital persona is a group of data items that together
form a simplified representation of an identity
(Clarke
1994a);
an identifier is a data-item or group of data-items which
reliably distinguish the identity of an entity. An identity may have many
identifiers, i.e. the mapping is 1:n. (Note that, in most of the literature
relating to digital signatures, certificates and PKI, the term 'name' is used
variously to refer to a specific kind of identifier and to refer to identifiers
generally).
The kind of assertion that certificates are supposed to provide assurance
about is 'the sender of this message is the entity that uses a particular
identifier'. A certificate does not, however, attest to that.
What it does attest to is that:
a particular message was generated by an artefact that had available to it
a particular private key; and
the CA that provided the certificate has, at some time in the past, had
grounds for believing that private key to be associated with a particular
entity.
Depending on the registration process that was applied, a certificate
may also attest that:
the CA that provided the certificate has, at some time in the past, had
grounds for believing that the entity had some kind of right to use that
identifier, or had used that identifier in the past; and
the CA that provided the certificate has, at some time in the past, had
grounds for believing that the entity had access to the appropriate private key.
A certificate provides no assurance, however, about whether:
the private key was originally available to other entities as well as the
entity to which it purports to be 'bound';
the private key is now available to other entities as well as the entity
to which it purports to be 'bound';
the private key invocation that gave rise to a particular message was
performed by the entity; and
the private key invocation that gave rise to a particular message was
performed with the entity's free and informed consent.
Moreover, such assurance as a certificate provides is qualified by the terms
of the CA's Certificate Policy Statement, as dictated by the CA's lawyers; and
very limited recourse is available should the assurance be wrong.
McCullagh
A. & Caelli (2000) argue that "In the legal sense an alleged signatory
to a document is always able to repudiate a signature that has been attributed
to him or her. The basis for a repudiation of a traditional signature may
include:
The signature is a forgery;
The signature is not a forgery, but was obtained via:
Unconscionable conduct by a party to a transaction;
Fraud instigated by a third party; [or]
Undue influence exerted by a third party.
"There is a strong movement to legally reverse the onus of proof for digital
signatures. The position being promoted is for the alleged signatory to have
the onus of proof in establishing that he or she did not digitally sign a given
document. ... It is submitted that the law should not in the electronic
commerce environment alter this position as regards to the legal rights of
parties to repudiate a digital signature".
McCullagh and Caelli conclude that "Without a trusted computing system, neither
party - the signer or the recipient - is in a position to produce the necessary
evidence to prove their respective case". In short, an X.509v3 PKI is of no
use, unless conditions are satisfied that manifestly are not
satisfied.
The inescapable conclusion is that the contemporary implementation of PKI in
the Internet context is a complete waste of time and effort, and represents
nothing more than a gesture towards the need for security. It involves
enormous complexity, effort and expense, in return for very weak evidence, and
very limited recourse.
4.5
Privacy-Invasiveness
The previous sections have focussed mainly on technical inadequacies, but
mentioned privacy in passing. This section summarises the privacy impact of
conventional digital signatures and PKI.
Greenleaf
& Clarke (1997) identified a wide range of threats, and categorised
them as follows:
Private Keys
Private key generation. To ensure that the private key
is never outside the possession of the user, it needs to be generated entirely
under the user's control, but nonetheless in a certifiably secure manner;
Private key storage and backup. To ensure that the
private key is never outside the possession of the user, it needs to be
securely stored and backed-up;
Private key escrow. Because of the need to ensure that
the private key is never outside the possession of the user, any form of escrow
of digital signature private keys is inimical to the very concept of PKI;
Private key access. Because of the need to ensure that
the private key is never outside the possession of the user, private digital
signature keys need to be exempt from court orders and search warrants;
Private key revocation. Revocation needs to be very
carefully undertaken (because, by definition, doubt has been thrown on the
authenticity of a message signed using that private key); yet it needs to be
very quickly undertaken (because of the risk of masquerade and fraud in the
interim);
Public Keys
Certification identification requirements. Presentation
at a Registration Authority in order to seek a certificate is onerous, and may
involve intrusive demands for documents and even biometrics;
Registers of public keys and/or certificates. Any such
register that may be established inevitably contains sensitive personal data.
Moreover, it creates a serious risk of the public key or certificate id
becoming used as a multi-purpose identifier for individuals, with all the
privacy-invasiveness that multi-purpose identification entails
(Clarke
1994c,
1997);
Certificate Revocation Lists (CRLs). To the extent that
it might become normal to check the CRL as part of the processing of a
transaction, the logs of CRL and/or OCSP transactions would become a
centralised and highly intensive trail of a person's e-activity. Moreover, the
CRL/OCSP process represents an opportunity for an authority to cancel a
person's cyber-identity;
Consequential Privacy Implications
Increased expectations of identification. The existence
of a means whereby senders can identify themselves might well lead to an
increased level of expectation that they do so in all forms of communication.
This would break down long-established and vital traditions of anonymity and
pseudonymity;
Chip-storage as a means of carriage of the private key.
Because of the need for secure storage of the private key, individuals could be
coerced into the acquisition and use of some form of chip-carriage mechanism.
This would currently most likely be a card, but many other carriers are
feasible, including direct implantation into the person
(Clarke
1997);
Central storage of biometrics. One means of preventing
persons other than the owner of the private key from invoking it is to protect
it with a biometric. Most biometric schemes to date involve central storage,
which is an enormous risk to individuals, because of the potential for the
biometric to be used as a basis for masquerade
(Clarke
2000).
Some of these problems are features of conventional PKI schemes that could
be avoided or designed around. Many, however, are direct implications of the
nature of the X.509 architecture and certificate design.
Given the nature of X.509v3-based PKI, individuals, including consumers,
citizens, employees and contractors (especially those in sensitive
circumstances), are justified in having serious concerns about schemes of this
nature being inflicted upon them.
5.
The
Critical Need for Nyms
The previous section argued that PKI's impacts on individuals are severe.
If e-trust schemes are to serve the needs of the Information Society, the focus
must be moved away from identities of individuals, and mechanisms must be at
least tolerant, and even actively supportive, of anonymity and pseudonymity
(Clarke
1993,
1994
and
1999).
Application of these concepts is critical to ensure that the advent of
cyberspace does not mean the death of private space.
The following related needs exist:
both people and useful fictions like corporations need to be able to have
acts performed on their behalf by human and software agents;
people need to be able to perform actions without necessarily declaring
their identity;
people need to be able to communicate that they have particular
attributes, without being forced to declare their identity in the process; and
persistent relationships need to be enabled even though either or both
parties are unidentified.
These objectives can be achieved through the application of the concept of a
'nym'. This is the pseudo-identity that arises from anonymous and pseudonymous
dealings
(McCullagh
D. 1996-,
Clarke
1999b).
An earlier section offered definitions for the terms 'entity', 'identity',
'digital persona', and 'identifier'. Three further terms require explanation:
a role is a particular presentation of an entity. An
entity may have many roles; and a role may be associated with more than one
entity, i.e. the mapping of role to entity is m:n. A role is not capable of
being directly expressed as data;
an agent is a particular role performed by an entity,
with the delegation of, and on behalf of, another entity, which entity is
referred to as a 'principal'. An agent may act for multiple principals, and a
principal may have multiple agents, i.e. the mapping is once again m:n. An
agent may be a human or an artefact;
a nym is a data-item or group of data-items which
reliably distinguishes a role. However, because a role is not reliably related
to an entity, there is no reliable mapping between a nym and the underlying
entity or entities, i.e. the mapping is m:n, and is not determinable.
Moreover, there may be a chain of nyms, because an agent may perform an act on
behalf of an agent, which performs on behalf of a principal.
This gives rise to the following web of concepts:
Nyms are not mere imagination: technologies exist that enable them. See
EPIC
(1997-) and
Clarke
(1999a). Moreover, it is critical to the future of e-commerce that the
information infrastructure supports nyms, and that people adjust to their
existence and nature. As
Ellison
(1997) argued: "The [U.S. House Hearing] asked 'Do you know who you are
doing business with?'. Before answering that question, one should really
answer the two questions: 'Do you need to know who you are doing business
with?', and 'Can you know who you are doing business with?'".
Nyms are in practice replacing identifiers. Services and protocols such as
IRC, MUDDs and ICQ expressly support them. So do several of the alternatives
to conventional PKI that are discussed below. Any approach to inculcating
trust in marketspaces will need to implement persistent nyms at least for the
consumer side of transactions.
6.
Alternative Models of Trust
Conventional PKI are ineffectual and privacy-invasive. Fortunately, there
are other ways to address the need for trust in marketspaces. Their discovery
depends in part on re-definition of the problem.
6.1
PGP's
'Web of Trust'
The 'web of trust' approach is intrinsic to the longstanding alternative
product Pretty Good Privacy (PGP) -
(Zimmerman
1995,
Garfinkel
1995,
Bacard
1995, Stallings 1995). This avoids the need for professional CAs, because
certificates can be issued by anyone. Fault-tolerance is achieved by depending
on multiple certificates, probably with varying weightings assigned to them by
the evaluator, on the basis of the degree of trust they place in the person who
provided the certificate.
The approach requires message-recipients to consider the extent to which they
really need assurance, and confront the simple fact that all assurance is
relative rather than absolute. The PGP concept is non-deterministic and
uncomfortable, but it reflects the reality of social and economic activity.
This finds echoes in the works of some theorists. For example,
Maurer
(1996) highlights the fragility of the assumption that the determination of
trust is deterministic and computable on the basis of certificates, and
discusses the alternative of a probabilistic approach to the problem. This
distinction is closely related to the difference between the naive military
concept of 'absolute trust' and the more realistic and less expensive
alternative of a 'risk-managed' approach to security issues.
PGP supports nyms. It depends on email-addresses, which are unique, because of
the manner in which domain-names are allocated, and aliases and user-names are
assigned. They are not formally linked to entities, however, and may have any
of a 1:1 relationship with a single person, or 1:n (multiple people may share
the same address), or n:1 (a person may have multiple addresses); or indeed
m:n (multiple accounts may be used by multiple people).
The practicality of PGP's specific implementation of the 'web of trust' notion
has been criticised, but arguments have been pursued for the concept to be
broadened and applied more generally
(Grossman
2000).
6.2
SPKI/SDSI
Another standardisation process is that which grew out of Simple Public Key
Infrastructure (SPKI) -
(Ellison
1996,
IETF
1997-,
Wang
1998,
Ellison
2000). The momentum has now shifted to a parallel initiative, the Simple
Distributed Security Infrastructure (SDSI) -
(Rivest
& Lampson 1996,
SDSI
1996,
Ellison
2000). The two approaches are in the process of being harmonised.
The key element of SDSI is that the X.509 nirvana of a single, global
name-space has been abandoned. With it, the presumption has been removed that
'name' (or, better expressed, 'identifier') is reliably bound to a particular
entity. The certificate associates a public key (and hence a key-pair) to an
entity that only the CA knows, and no warranties are provided by the CA to the
recipient of the message as to who the keyholder is. It is up to the relying
party to build up an image of the sender based on its successive interactions
with the holder of that key.
Attributes are associated with public keys, not with identities of real-world
entities. Hence, for example, a recipient can be assured that a particular
message was provided by a medical practitioner, or a person over 18, or over
65, or in possession of power of attorney for a company for purchases up to
$10,000; but the certificate is silent about the identity of the person who is
using the key
(Ellison
2000).
SPKI/SDSI supports nyms, because no identifier is reliably associable with a
particular entity. SPKI's originator, Carl Ellison draws attention to the
privacy dangers of using any identifier consistently, because such an action
would provide the means whereby the data trails the person leaves behind can be
collated: "The real solution is for the user to generate multiple key pairs
and use them for carefully walled-off purposes"
(2000a).
Each of these key pairs is a nym.
6.3
Stefan
Brand's Alternative Certificates
Brands (2000) proposes a different conception and implementation of digital
certificates, such that privacy is protected without sacrificing security. The
validity of such certificates and their contents can be checked, but the
identity of the certificate-holder cannot be extracted, and different actions
by the same person cannot be linked. Certificate holders have control over
what information is disclosed, and to whom. Stefan Brands' certificates are
expressly anonymous.
6.4
Reputation
and Brand
Trust may be based on reputation, by which is meant 'generally held'
positive opinion about an entity. There are several ways in which 'generally
held' opinion can arise. These include:
experience-based reputation. An entity may have
confidence in another entity because of the accumulated experience of dealing
with them. This can be inculcated through a planned transition of visit,
re-visit, trial transaction, small transaction, then larger transaction,
leading to a succession of larger transactions
(Clarke
1999c);
performance-based reputation. An entity, by being active
within a community for some time, can come to be perceived by participants in
that community to have positive characteristics, and hence to be trustworthy;
and
social-network-based reputation. Entities that are
already known within an community can introduce the entity, in effect attesting
that 'yes, this entity is known to me'.
Marketing specialists have substituted image for substance, and manufactured
a proxy for reputation. This approach has two forms:
'brand'. An entity can use advertising and public
relations techniques to establish or embellish a brand name, which it protects
using the particular form of intellectual property law called trademarks; and
'meta-brand'. An entity can seek to engender trust in
itself by using someone else's brand, such as a seal of approval from an
organisation that projects advertising and public relations on behalf of its
clients, e.g. TRUSTe and WebTrust.
6.5
Trust
Management
An approach that avoids and dissolves the problems with PKI rather than
trying to solve them, is trust-management systems
(Blaze
et al. 1999a,
Blaze
et al. 1999b). These can be viewed as generalisations of longstanding
access control techniques for achieving security of software processes and
data.
Blaze
(1999) argues that trust management has five basic components:
a language for describing `actions', which are operations with security
consequences that are to be controlled by the system;
a mechanism for identifying `principals', which are entities that can be
authorised to perform actions;
a language for specifying application `policies', which govern the actions
that principals are authorised to perform;
a language for specifying `credentials', which allow principals to
delegate authorisation to other principals; and
a `compliance checker', which provides a service to applications for
determining how an action requested by principals should be handled, given a
policy and a set of credentials.
The trust management approach also offers ways of addressing privacy,
because it is much less concerned about identified individuals, because it
focusses primarily on privileges and restrictions; and because it can deal
with nyms representing pseudonymous roles just as readily as with names that
are associated with an identified human.
7.
Conclusions
The originally perceived need was that, for e-commerce to become mainstream,
merchants needed to identify themselves, and to enable authentication of the
identifiers they provided. Marketers sought schemes in which consumers also
needed to identify themselves to the seller. This paper has cast grave doubt
on the need for identification and authentication, particularly of consumers.
It has drawn attention to the manifold failures of conventional PKI to deliver
on its claims, and to its seriously privacy-invasive nature.
There remain a few contexts in which digital signatures can be effective. In
particular, it can be applied internally by organisations that have structures
that are strictly hierarchical and relatively stable. National defence
agencies, and some kinds of large corporations, are arguably of that kind. In
addition, a related approach can be applied on Extranets that link defined and
bounded communities of organisations and individuals. Where the participants
are well-known to one another from prior dealings, a scheme can be devised to
leverage off the existing relationships in order to associate a key with a
particular community-member.
Winn
(1998) refers to these as 'closed-bound communities'. Note that, in such
circumstances, the conventional PKI is essentially irrelevant
(Wheeler
1998,
Wheeler
& Wheeler 1998).
The technical orientation that has been adopted by the proponents of
conventional, X.509-based PKI does not, however, address the needs of the
Information Society. The real requirement is for trust in e-interactions:
consumers want security and convenience, but without surrendering personal data
to sellers (and hence to others who may gain access to it, such as other
merchants, and agencies of government).
Conventional PKI suffers from such serious inadequacies that its application is
highly suspect. The existence of an increasingly rich set of alternatives to
conventional, hierarchical PKI shows that the time has now come to recognise
the inherent deficiencies of X.509 architectures, and abandon attempts to
impose them on open, public systems.
References
Adams C. & Lloyd S. (1999) 'Understanding the Public-Key
Infrastructure' New Riders Publishing, 1999
Austin T., Huaman D. & Austin T.W. (2000) 'Public Key Infrastructure
Essentials', John Wiley & Sons, 2000
Bacard A. (1995) 'The Computer Privacy Handbook: A Practical Guide to E-Mail
Encryption, Data Protection, and PGP Privacy Software', Peachpit Press 1995, at
http://www.andrebacard.com/press.html
Blaze M. (1999) 'Using the KeyNote Trust Management System', November 1999, at
http://www.crypto.com/trustmgt/kn.html
Blaze M., J. Feigenbaum J., Ioannidis J. & Keromytis A. (1999a) 'The
KeyNote Trust-Management System Version 2' RFC2704, IETF, September 1999, at
http://www.crypto.com/papers/rfc2704.txt
Blaze M., Feigenbaum J., Ioannidis J. & Keromytis A. (1999b) 'The Role of
Trust Management in Distributed System Security' Chapter in Vitek & Jensen
(Eds.) 'Secure Internet Programming: Security Issues for Mobile and Distributed
Objects, Springer-Verlag, 1999, at
http://www.crypto.com/papers/trustmgt.pdf
Branchaud, M. (1997) 'A Survey of Public Key Infrastructures', Master's
Thesis, Department of Computer Science, McGill University, Montreal, March
1997, at
http://www.xcert.com/~marcnarc/PKI/thesis/
Brands S.A. (2000) 'Rethinking Public Key Infrastructures and Digital
Certificates: Building in Privacy' MIT Press, 2000
Clarke R. (1993) 'Computer Matching and Digital Identity' Proc. Computers,
Freedom & Privacy, February 1993, at
http://www.anu.edu.au/people/Roger.Clarke/DV/CFP93.html
Clarke R. (1994a) 'The Digital Persona and its Application to Data
Surveillance' The Information Society 10,2 (June 1994), at
http://www.anu.edu.au/people/Roger.Clarke/DV/DigPersona.html
Clarke R. (1994b) 'Information Technology: Weapon of Authoritarianism or Tool
of Democracy?' Proc. World Congress, Int'l Fed. of Info. Processing, Hamburg,
September 1994. At
http://www.anu.edu.au/people/Roger.Clarke/DV/PaperAuthism.html
Clarke R. (1994c) 'Human Identification in Information Systems: Management
Challenges and Public Policy Issues' Info. Technology & People 7,4
(December 1994). At
http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html
Clarразделы
асбест хризотиловый
девелоперская компания
архитектурный визуализация
билет ммдм
inerta краска
трансперсональный психология
билет хоккей
дюпон краска
международный конкурс дебютант
бюджетирование
trinity hi-fi
детский гинеколог
ливнесборные решетка
охота бабочка
время архангельск
букмекерский контора шанс
трехмерный презентация
вентеляционная решетка
дихроичное зеркало
медикаментозный прерывание беременность
промышленный аккумулятор
dect desktop
кайт
бахила полиэтиленовый
три цвета: красный
затенение витрина
спецобувь
фирменный цвет
надевание бахила
бордюр
против рак
варочный поверхность cata
прайс зеркало
деловой костюм
neri karra кожгалантерея
пежо 407
asus p505
штукатурка фасадный
медикаметозное безоперационное прерывание беременность
краска ржавчина
геомаш-центр
лакокраска
купить джойстик
организация похорон
нард онлайн
варочный поверхность cata
степ-аэробика
охота гончий
красный площадь васильевский спуск
букмекерский контора фаворит
гуп ритуал
шелковый ковры
организовать рассылка
учиться танго
надпись кружок
pki