On Thu, Jul 1, 2010 at 8:00 PM, Tim Bogart <timbogart@yahoo.com> wrote:
All,

This is a perfectly crystallized description of views I espoused in a book I wrote 3 years ago which didn't get published.  I did an entire chapter on PKI versus circle of trust.  What's the difference between the two.  Fundamentally, it's philosophy, and Ellison and Schnier said it best.  "Who do you trust?"  Public Key Infrastructure is largely adopted by large firms who have a burning desire to centralize the process.  Have you ever met a manager or executive that didn't have an inclination toward wanting to have iron fisted control over a process or system?  PKI provides that control, and that makes them feel good.  Circle of trust decentralizes the control and allows anybody in an organization to sign keys.  This places the onus of inquiry on the user to validate or verify signatures independently.  And in my estimation, from a security perspective, this is a good thing.  The circle of trust can be compared to the play or movie called “Six Degrees of Separation.” It goes like this... Do you know the Pope? Probably not. But how many acquaintances do you think you have between yourself and the Pope? Well, let's assume you know me, that's one. I know Vint Cerf, that's two. Vint Cerf knows George Bush, that's three. And President Bush knows the Pope, that's four. So, if you knew me, there would be four degrees of separation between you and the Pope. I'm not going to go into whether you trust George Bush, or the Pope, or me for that matter, but I think you see how it works. In a large Corporation like Verizon, or the US Military, there's an echelon of command that dictates who you should trust. But is that the best way to go? I say no. Not from a security perspective. Independent validation of credentials is always preferable to centralization in this scenario because if there is a breakdown in the chain of trust with the PKI model, it can be catastrophic. If there is a breakdown in the chain of trust in a circle of trust system, it's recoverable because there is more than a single path of trust. It's comparable to the very reason the Internet and packet switched networks were developed by DARPA. If a catastrophic event took out a major telecommunications switch, rerouting calls would be very time consuming and sometimes impossible in a circuit switched network. Whereas with a packet switched network, the packets containing the call information would be rerouted around the damaged segment or segments automatically. That's what the Internet was invented for in the first place (read “Where Wizards Stay Up Late. The Origins of the Internet” by Katie Hafner and Mathew Lyon, ISBN 0684812010, Library of Congress #TK5105.875.I57 H338 1996 ).


“But management needs central control!” They can still have it with circle of trust. They can poison pill any key set they wish. They can even require key signatures that will allow management or agents thereof to open encrypted emails. It's all in the architecture and how it's administered. I worked for a company that used circle of trust and did just that. But the skeleton keys weren't held by one entity. The company had a master or skeleton key and could open an encrypted document or email. The key to the security in this scenario was the process. There was a formalized request and approval process that was required with certain checks and balances in place to ensure the act of breaching and encrypted transmission wasn't abused by a single person, like launching a missile from a submarine.


Anyway, I could go on and on. But I won't bore you. Suffice to say that Bruce and Carl are absolutely correct.


BTW... get the book. It starts out a bit slow but there's all kinds of good stuff in there, like who's responsible for making the first router work, who's idea was it to fund it initially? Who came up with the RFC system? Who's responsible for the @ in email addresses and all kinds of good stuff. It pays to know your history, and this book's got a bunch of it.


My $0.02

t


From: Mike Schwartz <schwartz@acm.org>
To: PLUG-discuss mailing list <plug-discuss@lists.plug.phoenix.az.us>
Cc: Mike L Schwartz <schwartz@acm.org>
Sent: Thu, July 1, 2010 6:36:12 PM
Subject: OT: (or is it?) Interesting take on PKI and security

Interesting take on PKI and security 
http://www.schneier.com/paper-pki-ft.txt
a favorite take-away quote, from it:
"[...] security is very difficult, both to understand and to implement. "
(that's from the 2nd sentence, of about the 4th-to-last paragraph). 
...something to think about...
--
Mike Schwartz    

Glendale  AZ
schwartz@acm.org



Tim,

Useless history!  Better yet play with PK yourself, setup sendmail with DKIM keys, and play with DNS to understand various RFCs. 

I can't get my brain trivia tables to index history, unless it's music history or art history?

--
Office: (480)307-8707
AT&T: (503)754-4452