##Introduction
Talking about needs of certifcates and encryption in the internet world (know the end points of communications and make them tamperproof). Motivations of the paper :
- Comparative review of three methods (X509, PGP and SKIP)
- Issues of those methods
- Evaluation for other existing or to be developed methods
- Identify improvements
- Safety guidelines for users when resolving certificate issues
- Impact on Internet security transactions due to Gov. policies
##Certification methods
Why do we need to use certification methods : who is the sender, who is the receiver, are they really are who they pretend to be? Presenting the solutions that are central to the paper :
- Directory method : X.509 and CA
- Referral methods : PGP
- Collaborative methods : SKIP
##X.509 and CAs
###Description of the different entities
- CA : can be public (like banks with clients), commercial (like Verisign) or private (like internal departement of a compagny, to log user)
- Subscriber : sends some infos to the CA to add it to his certificate
- User : ask infos to CA(s), it's central to the process, since the user party is relying on the informations and is thus at risk
###Concerns about the authentification services provided by CAs
- The content of a certificate needs to be discussed, as well as certificate revocation
- Issues about DN (Distinguished Name) and CA : a user can possess one or more DN, and use one or more DN on one or more DN
- Validation of the user, using an ID, which is easily subject to fraud
Going deeper with user validation : DN scheme based on X.500 Recomendation, but it is not completly defined, and will (in 1998) probably not be. Also, X509 certification depends on many others such as ISO, ANSI, ITU and IETF. Thus lead to a lack of harmonization. Plus, there is a big problem with CPS (Certification Practice Statements), that also can be seen such as flexibility (for pros), because each CA answer specific needs, so no harmonization again.
Some kind of conclusion about harmonization (lack of), in a world wide vision.
###List of the most important conceptual, legal and implementation flaws (16 of them).
[...]
##PGP
PGP (Pretty Good Privacy), globaly created by put his name. [Schema] It is based on the web-of-trust, if the client doesn't know a CA which gave him a certificate, he ask to the PGP ring. In that ring, even if the client doesn't know everyone, someone will know him, thus the web-of-trust principle. Each member of the ring have a trust evaluation of CAs. If the client knows someone he trust that trust the CA he doesn't know, then he accept the certificate and trust the CA. But if the client trust someone who doesn't trust the CA, he reject the CA. The big point is when nobody knows the CA, and when trusted friends of the client have a medium evaluation of the CA : when to trust, when to reject, at which level of trust?
##SKIP (Simple Key-Management for Internet Protocol)
[...]
##Certification, Risks and Privacy Rights
This section arguments about security policy implementation : where the frontier need to be, is there any limit to privacy for user against governement surveillance? Is the end of the end of the inernet as we know it today (in 1998, thus)? Do the governements need to be involved in the Internet regulation? What is the actual involvement of governement in that [Koop98].
##Conclusions
Both of those methods of certification need a centralized certification control system to be useful in commercial situations. That may be the point of this article, this paradigm is controversial with the Internet paradigm, where everything is decentralized. Certificates are not unbrakable, so users need to be careful. Govenements need to adapt to the technology; technology brings up new problems, so governements need to find new solutions to solve those. MCG is currently (in 1998) on a global standardisation designed to enhance security and performance.
##Back to the future
This article was write in 1998, so there was some improvement in the domain. The author was part of a workgroup called MCG (for Meta-Certificate Group), which was closed in 2000. Their goal was to create a worldwide certification system, so we are now going to look what is up to date (thus in 2015).
###DANE
DANE, for DNS-based Authentication of Named Entities, [...]
##Links to follow
- Google certificate transparency : http://www.certificate-transparency.org/what-is-ct
- DANE : Wikipedia, a Internet Society article