From owner-spki@c2.net Mon Feb 22 10:37:36 1999 Received: from blacklodge.c2.net (blacklodge.c2.net [140.174.185.245]) by lox.sandelman.ottawa.on.ca (8.8.7/8.8.8) with ESMTP id KAA15263; Mon, 22 Feb 1999 10:37:34 -0500 (EST) Received: (from majordom@localhost) by blacklodge.c2.net (8.8.8/8.7.3) id GAA04108 for spki-outgoing; Mon, 22 Feb 1999 06:41:01 -0800 (PST) Message-Id: <199902220628.RAA00279@stranger.vic.cmis.CSIRO.AU> To: spki@c2.net Cc: Bob.Smart@cmis.CSIRO.AU Subject: TPKI - living without certificates Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 22 Feb 1999 17:27:45 +1100 From: Bob Smart Sender: owner-spki@c2.net Precedence: bulk All the security infrastructures being developed (PKIX, DNSSEC, IPSEC, and even SPKI) show that it is not easy to build security structures with links into the real world. Are there applications that can use public key cryptography without needing certificates to link the public keys to things or rights in the real world? I'd like to answer that with a very positive and definite "maybe". If such applications exist then they are important because they are much easier to implement. They offer the hope of working our way up, and securely bootstrapping the more conventional certificate-based systems. But maybe experience of those certificate-free appliations will give us different ideas about how to link in to the real world. At any rate I've written up a rough outline of what such a system might be like at http://weever.vic.cmis.csiro.au/~smart/tpki.html [TPKI stands for "Trivial Public Key Infrastructure"]. An example of a TPKI-based Bank and payment system is given in http://weever.vic.cmis.csiro.au/~smart/bank.html All very rough at the moment. I'll have a go at tidying them up as internet-drafts next weekend depending on any feedback I might get. Bob P.S. We are likely to be advertising soon for software engineers who are interested in a research environment, working in security and related Distributed Systems areas. Let me know if you would like to receive information about this. We are unlikely to take someone who isn't already resident in Australia. Later in the year we are likely to be advertising for a Project Leader [I'm acting PL at the moment]. For this non-Australians are definitely eligible. If you have a PhD and/or equivalent experience and a research record and want to be kept informed about such an opening then let me know.