Re: [pkng] Where to go? What to do?

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

On 10/01/2010 04:07 PM, Massimiliano Pala wrote:

> most important issues we face today (let me know if you need a copy):
> 
>   http://portal.acm.org/citation.cfm?id=1750389.1750404

i'd be interested in a copy of this paper.

> My idea would be to provide two documents. The first describing the overall
> infrastructure and the PKS distributed protocol. This is the protocol that
> would allow PKI-to-PKI interactions via a distributed P2P overlay network.

Though we most likely aren't using the protocols you describe (we're not
even relying on X.509), we actually already have something like this up
and running.  The Monkeysphere project (http://web.monkeysphere.info/ --
i'm one of the developers) uses the P2P SKS keyserver network to
distribute OpenPGP certificates, which are in turn used to authenticate
netork peers (primarily HTTPS and SSH at the moment).

We treat any existing X.509 certificates as raw carriers for public key
material, and authenticate the material through the OpenPGP Web of
Trust.  This means using the same PKI (the WoT) for mail, web browsing,
and SSH, which means we have the potential for intuitive UI
consolidation that humans might be able to understand.

It also means that multiple authorities can choose to certify the same
entity, which breaks one of the big stumbling blocks in the way the
X.509 arrangement is currently set up.  (single-certifier certificates
cause CA lock-in for many parties; CA lock-in dramatically increases the
risk of compromise of authenticated networked communications).

I (and the rest of the Monkeysphere team) would welcome any criticisms,
suggestions, or concerns you have about this project.  The system is
already in use, and we hope to see it grow healthily.

Regards,

	--dkg