re: digital signature/PKI information and myths
Here's a technical article on PKI (a common implementation of digital signatures). One of its authors is Bruce Schnier, a most respected crypto guru. It's about 7 pages long. The article argues that PKI is not a silver bullet, especially when the incompetent get involved in its administration. However, he forgets to mention that "Commercial PKI" may still end up being better than "Government PKI" :-)
I personally think PKI is very useful. But this article illustrates its shortcomings. Check it out.
counterpane.com
abstract:
"Public-key infrastructure has been oversold as the answer to many network security problems. We discuss the problems that PKI doesn't solve, and that PKI vendors don't like to mention.
warning to investors excerpt:
Open any article on PKI in the popular or technical press and you're likely to find the statement that a PKI is desperately needed for e-commerce to flourish. This statement is patently false. E-commerce is already flourishing, and there is no such PKI. Web sites are happy to take your order, whether or not you have a certificate. Still, as with many other false statements, there is a related true statement: commercial PKI desperately needs e-commerce in order to flourish. In other words, PKI startups need the claim of being essential to e-commerce in order to get investors.
There are risks in believing this popular falsehood. The immediate
risk is on the part of investors. The security risks are borne by
anyone who decides to actually use the product of a commercial PKI.
warning to consumers excerpt:
[PKI vendor marketing abuse] the term "non-repudiation." Like
"trusted," this term is taken from the literature of academic
cryptography. There it means something very specific: that the
digital-signature algorithm is not breakable, so a third party cannot
forge your signature. PKI vendors have latched onto the term and used
it in a legal sense, lobbying for laws to the effect that if someone
uses your private signing key, then you are not allowed to repudiate
the signature. In other words, under some digital signature laws
(e.g., Utah and Washington), if your signing key has been certified by
an approved CA, then you are responsible for whatever that private key
does. It does not matter who was at the computer keyboard or what
virus did the signing; you are legally responsible.
[Do the new federal laws punish consumers when handle hackers gain access to their digital signatures?] |
