PKI…Can we trust anyone out there?

PKI stands for Public Key Infrastructure, the set of hardware, software, people, policies and procedures needs to create, manage, store, distribute and revoke Public Key Certificates based on public-key cryptography. Public key cryptography reduced the number of keys needed for practical secure communication over an insecure channel. Strong authentication in ITU-T Recommendation X.509 defines a framework for the provision of authentication services under a central control paradigm represented by a Directory.

The Directory contains the followings:
CA: a general designation for any entity that controls the authentication services and the management of certificates
Subscriber: an entity that supplies to the CA the information that is to be included in the entity’s certificate
User: any entity that relies upon a certificate issued by a CA in order to obtain information to the subscriber

The main purpose of the CA is to bind a public key to the name contained in the certificate and thus assure third parties that some measure of care was taken to ensure that the binding is valid for both name and key. However, every certificate authority has its own authentication rules stated clearly in the CPS (Certification Practise Statement) and it can be completely different for different CAs.

We must keep in mind that certificates are not magically infused with trustworthiness just because they are digitally signed. A way to have additional security to a certificate is by adding more attributes limiting the scope of it. However, a research has given the conclusion that the lifetime of a certificate is inversely proportional to the sum of the inverse lifetimes of each of its attributes. That means that in the case that more attributes have been included to a certificate in order to make it more specific to an object this will result to shorter its lifetime. By bearing that in mind we can all understand why big companies have conclude to import only the complete necessary details to their CPSs. CAs actually are delivering a product with zero warranty and are delivering a service with almost zero content. Total security is weaker than the weakest component in the system.

Digging more in the PKI more queries are revealing. Who do we trust and for what? Who is using our key? How secure is the verifying computer? Is the CA an authority? Is the user part of the security design? Was it one CA or a CA plus a registration authority? How did the CA identify the certificate holder? How secure are the certificate practices? Why are we using the CA process anyway?

Many tries have taken place in order to create a secure communication such as PKI, PKIX, PGP, SKIP and more. In many protocols such as SKIP and unfortunately not the only one, the user has no practical way to control the process, cannot decide which node authenticator is reliable, can not exclude nodes that have been infected by the enemy, cannot choose certificates and so on.
There are many questions still unanswered considering security issues. After all these, is there anyone out there who will not consider
“Do we have any control when we are using Internet?
Who do we trust and for what?
Do we have to sacrifice our privacy on behalf of security?”

Penny Samara
Guru-host's Business Analyst / Security Consultant
BSc Information Systems
MSc Computing & Information Systems
PhD Software Systems Engineering