> From: Paul Hoffman / IMC <phoffman@xxxxxxx> > At 2:14 PM -0500 12/14/03, Keith Moore wrote: >> if you can show me a tool that will translate statements like the >> above (or other statements that ordinary humans can understand) into >> data structures that existing PKI-based tools will interpret reliably >> and correctly, I'll be extremely impressed. > When you get a message with statements about your job, you verify that > the message has been signed using your boss' public key. What's the > problem here? The issue is how you can be sure that the thing purporting to be your boss' (or landlord's, or whomever) public key really is their public key, unless they gave it to you directly and personally themselves. (Which they well might, as part of the opening of any commercial transaction.) But short of that, there's no *existing* comprehensive key-validation structure which can assure you that the thing which is claimed to be the public key of X really is X's public key, where X is some arbitrary entity - e.g. a Web storefront from whom one wants to purchase something. Yes, we probably have enough protocol tools that we could create such a thing (e.g. with DNSSEC), but that's not the issue - the point is there's nothing deployed at the moment, therefore no way (in practise) to do it. Noel