Newsgroups: sci.crypt
Path: msuinfo!uchinews!linac!att!cbnewsh!cbnewsh!wcs
From: wcs@cbnewsh.ATT.COM (Bill Stewart 908-949-0705 erebus.att.com!wcs)
Subject: Re: Is a Key Authority necessary (on Internet)?
Organization: AT&T Bell Labs Random Organization Name Generator
Date: Fri, 31 Jan 1992 02:54:24 GMT
Message-ID: <WCS.92Jan30215424@cbnewsh.ATT.COM>
In-Reply-To: rick@ee.ee.uwm.edu's message of Mon, 27 Jan 1992 17: 08:29 GMT
References: <10541@lectroid.sw.stratus.com> <10585@lectroid.sw.stratus.com>
	<10297@cactus.org> <1992Jan27.170829.18945@uwm.edu>
Sender: wcs@cbnewsh.cb.att.com (Bill Stewart 908-949-0705 erebus.att.com!wcs)
Lines: 50

In article <1992Jan27.170829.18945@uwm.edu> rick@ee.ee.uwm.edu (Rick Miller) writes:
>   Considering that most machines on the Internet (I mean the ones you can
>   address by octets such as "129.38.1.4") allow users to be 'net-fingered',
>   is a key authority really necessary?  Any user wishing to publish his/her
   ...
>   Certainly, it's *possible* that a crooked SysOp might fidget with the
>   nfinger daemon, but that could be so on any "authority"'s box as well.

Many of us are on networks that block incoming finger requests,
and FAR more people are on nets that communicate with the Internet by
mail gateways but aren't reachable via tcp.  You need to reach everybody.

And you wouldn't only be vulnerable to attacks on the signer's system
- anybody in between you who can forge finger responses can interfere.

But some of the Key Authority methods I've seen proposed don't depend on
on-line connection at all - they can be included in the message,
and include public keys for each level of the hierarchy.
An example might work like this:
	Authority1's public key is E1 = 111111...1 and is widely published.
	Authority1 issues Authority2 a public key E2 = 2222...2, and
		a message   M2="Authority2's public key is 2222...2" and
		a signature S2=signature(message M2, Key D1/E1),
		using some signature technique like decrypting
		an MD5 hash of the message with D1, which you can
		verify  by computing the hash and encrypting with E1.

	Authority2 issues Authority3 a public key E3 = 3333...3, and 
		a message   M3="A3's key is 3333...3, M2, S2", and
		a signature S3=signature(message M3, Key D2/E2)

	Authority3 issues YOU a public key EY, message MY, signature SY.

So you can send someone a message Mx, which includes your public key,
message MY, and signature SY, and they can verify that that key signed
the message Mx, check SY to verify the message MY, which includes M3/S3.
If they don't trust E3 to be Authority3's key, they can use S3 to verify M3,
which says that if you trust Authority2's key you can trust Authority3's.
And so on recursively, till they get to Authority1's well-known key,
which they have their own copy of.

Obviously, there are more elegant ways of expressing the above,
and you can save some steps by caching the parts of the hierarchy that
you've already verified.  (MessageN probably says how long it's valid,
allowing the certifiers to sell you new keys on occasion.)
-- 
				Pray for peace;      Bill
#Bill Stewart +1-908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M312 Holmdel NJ

		... counting stars by candlelight ...
