For PKIs in general, there's always an "out of band" transfer of a public key that you elect to "trust" before secure communications/transactions can occur. Often, this is the transfer of a "root key", which is then relied on to certify other public keys you get in the course of doing business. This is the general solution to the problem Noel describes below - once you have this limited out-of-band transfer, you can rely on the automated exchange of keys. (Subject of course to the possibility of revocation/compromise, and yes most current software ignores that problem or deals with it in a very ugly way. But that's improving.) (Now, of course, my argument would be stronger if the usual "out of band" transfer wasn't "well, the certificate came pre-loaded in Internet Explorer. But bad implementations don't obscure the general point - the problem is solvable; the solution is known; it involves one secure out-of-band transfer.) Al Arsenault Senior Security Engineer BBN Technologies -----Original Message----- From: owner-ietf@xxxxxxxx [mailto:owner-ietf@xxxxxxxx]On Behalf Of Noel Chiappa Sent: Sunday, December 14, 2003 2:56 PM To: ietf@xxxxxxxx Cc: jnc@xxxxxxxxxxxxxxxxxxx Subject: Re: PKIs and trust > From: Paul Hoffman / IMC <phoffman@xxxxxxx> > At 2:14 PM -0500 12/14/03, Keith Moore wrote: >> if you can show me a tool that will translate statements like the >> above (or other statements that ordinary humans can understand) into >> data structures that existing PKI-based tools will interpret reliably >> and correctly, I'll be extremely impressed. > When you get a message with statements about your job, you verify that > the message has been signed using your boss' public key. What's the > problem here? The issue is how you can be sure that the thing purporting to be your boss' (or landlord's, or whomever) public key really is their public key, unless they gave it to you directly and personally themselves. (Which they well might, as part of the opening of any commercial transaction.) But short of that, there's no *existing* comprehensive key-validation structure which can assure you that the thing which is claimed to be the public key of X really is X's public key, where X is some arbitrary entity - e.g. a Web storefront from whom one wants to purchase something. Yes, we probably have enough protocol tools that we could create such a thing (e.g. with DNSSEC), but that's not the issue - the point is there's nothing deployed at the moment, therefore no way (in practise) to do it. Noel