Talk:Public key infrastructure: Difference between revisions
imported>Sandy Harris |
imported>Howard C. Berkowitz |
||
Line 15: | Line 15: | ||
and all of that is indeed essential ''if the user is expected to trust the repository'', to assume any key he gets from there is OK. However, if the user only trusts keys and does his own checking of signatures, then none of it is needed except perhaps for the tricky problem of managing key revocation. [[User:Sandy Harris|Sandy Harris]] 02:29, 9 June 2009 (UTC) | and all of that is indeed essential ''if the user is expected to trust the repository'', to assume any key he gets from there is OK. However, if the user only trusts keys and does his own checking of signatures, then none of it is needed except perhaps for the tricky problem of managing key revocation. [[User:Sandy Harris|Sandy Harris]] 02:29, 9 June 2009 (UTC) | ||
::I don't disagree that the PGP distributed trust model versus the hierarchical CA model are substantially different; I'm just not sure that PKI should be assumed to cover both. Could you suggest a "trust verification" or some other term that could cover both without conflicting with the IETF and other widespread use of PKI, which would become the top-level article with both paradigms as subarticles? [[User:Howard C. Berkowitz|Howard C. Berkowitz]] 04:34, 9 June 2009 (UTC) |
Revision as of 22:34, 8 June 2009
|
Metadata here |
We need...
...an article titled "public key." :-) --Larry Sanger 13:54, 3 October 2008 (CDT)
- OK; added more redirects. Give me a little while as I am creating a series of articles with mutual definitions. Howard C. Berkowitz 14:09, 3 October 2008 (CDT)
Broader scope?
I think this needs to compare & contrast the typical hierarchical PKI and the PGP web of trust. The current text seems to describe only the former. Granted, most PKIs work that way and many people use "PKI" to mean exclusively that, but PGP's an important application, it uses a fundamentally different model, and there are arguments that its model is in some ways better.
For example, the opening paragraph currently has:
- The first essential element of PKI is that the creators of public-private keys key pairs have a secure way to store the public key in an accessible repository, with the stored key autheticated as coming from the purported source. The second essential element is that users of the public key have a secure way to retrieve the public key for a given source of information. As with any security tool, there must be a reliable means of auditing changes to the system resources, such as the entry of new keys, with a log verifying that the change was authenticated.
and all of that is indeed essential if the user is expected to trust the repository, to assume any key he gets from there is OK. However, if the user only trusts keys and does his own checking of signatures, then none of it is needed except perhaps for the tricky problem of managing key revocation. Sandy Harris 02:29, 9 June 2009 (UTC)
- I don't disagree that the PGP distributed trust model versus the hierarchical CA model are substantially different; I'm just not sure that PKI should be assumed to cover both. Could you suggest a "trust verification" or some other term that could cover both without conflicting with the IETF and other widespread use of PKI, which would become the top-level article with both paradigms as subarticles? Howard C. Berkowitz 04:34, 9 June 2009 (UTC)