The following text is copyright 1999 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Are you usefully certifiable?

by Scott Bradner

Public Key Infrastructure (PKI) and digital signatures are all the rage these days with cover stories in a number of trade magazines and even a front page story in the Boston Globe the other day. But even with all the hype it is far from clear what I can do with your digital signature if you were to send it to me.

A bit of background first. Public key cryptography refers to a type of technology in which a user has a pair of cryptographic keys, one that is kept secret and is referred to as the private key and an associated key that can be public. Any data encrypted in either one can only be decrypted by the other one of the pair. If I want to send you a secret message I would encrypt it in your public key before sending it to you knowing that your private key is required to decrypt the message. One more bit of background. A digital signature (DS) is created by running a chunk of data (such as a file) through a mathematical algorithm to get a large numerical value that is unique to the original data. The value is then encrypted (referred to as "signed") in the private key of the sender. The DS is then sent along with the original data. The receiver decrypts the DS using the public key of the sender and the resulting value is compared to the result of the receiver running the data through the same algorithm that the sender used. If they match then all is OK with this message. (It could contain garbage but it's the same garbage that was sent.)

I need a reliable way to get your public key for either of the above functions and that is where PKI comes in. A PKI is a set of servers, known as certificate authorities (CA), from which I can get a copy of your public key with a DS, encrypted in the private key of the CA, for verification. This is called a certificate.

One thing that seems to be all too commonly overlooked is that it's not enough to know that a particular CA signed your certificate, I also need to know what processes that CA uses in its operations and to find out who you are before giving you a certificate to know if I can trust the CA and its certificates.

The description of these processes can be very complicated indeed. RFC 2527 (http://www.ietf.org/rfc/rfc2527.txt) takes 45 pages and lists 178 things to detail in describing what a good description could contain.

Restricting a PKI to use within a single organization can sidestep most of the issues but anyone thinking that a global PKI will soon facilitate electronic commerce should read RFC 2527 and weep.

disclaimer: Sometime there is weeping when exams are returned at Harvard but the above lament is my own