Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Prepared for submission to the 'IS in the Information Society' Track of the Euro. Conf. in Inf. Syst. (ECIS 2001), Bled, Slovenia, 27-29 June 2001
Version of 9 November 2000
© Xamax Consultancy Pty Ltd, 2000
This document is at http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html
It has been conventional wisdom that, for e-commerce to fulfil its potential, each party to a transaction must be confident in the identity of the others. Digital signature technology, based on public key cryptography, has been claimed as the means whereby this can be achieved. Digital signatures do little, however, unless a substantial infrastructure is in place to provide a basis for believing that the signature means something of significance to the relying party.
Conventional, hierarchical PKI, built around the ISO standard X.509, has been, and will continue to be, a substantial failure. This paper examines that form of PKI architecture, and concludes that it is a very poor fit to the real needs of cyberspace participants. The reasons are its inherently hierarchical and authoritarian nature, the unreasonable presumptions it makes about the security of private keys, a range of other technical defects, confusions about what it is that a certificate actually authenticates, and its inherent privacy-invasiveness. Alternatives are identified.
There has been a perception that the adoption of e-commerce has been significantly slowed because, in cyberspace, buyers don't trust unidentifiable sellers. Digital signatures, and the mechanism that support them, Public Key Infrastructure (PKI), have been touted as the solution to the problem. Despite quite some years of development, however, each step forward with PKI seems to create a set of new sub-problems.
Meanwhile, a range of other impediments to net-consumer trust of cyberspace merchants has been identified (Clarke 1999c). And PKI has been criticised on both technical grounds (e.g. Ellison and Schneier 2000) and privacy grounds (e.g. Greenleaf & Clarke 1997). This paper examines PKI from a broader perspective, by relating its features to what the Information Society really needs.
The paper commences by stating the problem that was originally perceived, and describing the currently conventional technology that has been harnessed to solve it. Major problems with that solution are then identified, in the areas of key insecurity, other technical deficiencies, its failure to provide useful assurances to net-users, and its privacy-invasiveness. The paper concludes by explaining the critical nature of 'nyms', and a brisk assessment of alternative approaches that hold out greater prospect for meeting the needs of Information Society.
The commercial potential of the Internet became apparent only in the mid-1990s. Wired Magazine, launched in October 1994, claimed (with justification) that its Hotwired venture was the first commercial web-site.
From an early stage, the conventional wisdom was that e-commerce, in comparison with purchasing in a physical location like a shop, lacks the important comfort factor of seeing who you're dealing with, or at least being able to see the merchant's physical 'foot-print'. It was therefore postulated that successful commerce on public networks would be dependent on some other means of establishing trust.
A leap was then made to the conclusion that trust would need to be based on a mechanism for the identification of parties who deal on the net, supplemented by authentication mechanisms to test the assertions of identity. A recent expression of this is that "Fundamentally, electronic commerce involves the use of remote communications and therefore necessitates all parties involved to authenticate one another ... [because] the parties will not at the time of transacting have face to face dialogue" (McCullagh & Caelli, 2000).
Moreover, the demand for identity was presumed to be two-sided, i.e. not only would the merchant or services-provider identify themselves to the consumer but consumers would also identify themselves to sellers. It is unclear whether this was a conscious assumption, and if so whether it was based on an analysis of merchant behaviour, or was merely a pretext for the creation of exploitable trails of consumer behaviour. Either way, it represents a significant compromise of what have hitherto been to a considerable extent anonymous transactions.
This section provides a brief overview of the key technologies that have enabled engineers to address the perceived problem described above.
During the 1980s, public key (or 'asymmetric') cryptography had emerged. Public key cryptography involves two related keys, referred to as a 'key-pair', one of which only the owner knows (the 'private key') and the other which anyone can know (the 'public key'). Because only one party needs to know the private key, it does not need to be transmitted between parties, and hence it need never be exposed to the risk of interception. Knowledge of the public key by a third party, on the other hand, does not compromise the security of message transmissions (Diffie & Hellman 1976, Schneier 1996). For a tutorial treatment, see Clarke 1996).
The following sub-sections introduce the key application of 'digital signatures', and then the infrastructure on which they depend. The dominant form of public key infrastructure is then outlined and interpreted.
Digital signatures are a particular application of public key cryptography. A digital signature is a block of data that is generated from a message prior to its despatch, and is appended to it. The block is prepared by a two-step process:
The recipient re-creates the message digest from the message that they receive, uses the sender's public key to decrypt the digital signature that they received appended to the message itself, and compares the two results. If they are identical, then:
This paper concerns itself with only the second of these, the use of a digital signature to authenticate something about the message-sender.
Digital signatures were naively presumed by many people to provide unqualified assurance. In practice, however, the effectiveness of the mechanism is dependent on a number of conditions, in particular:
Digital signature schemes depend on the public key of the message-sender being available to the recipient. The most practicable methods of achieving this are:
All of these approaches are subject to 'spoofing', i.e. an imposter can send a message that includes a public key, or store a public key in a directory, and thereby fool the other party into thinking the message came from a particular person or organisation.
To address this risk, the concept was created of a 'certificate' that attests to the fact that that public key is associated with a particular party. (The technical literature uses the term 'is bound to' rather than 'is associated with'. This implies to the normal reader a far stronger kind of association than the technique actually warrants).
More precisely, a 'certificate' is a digitally signed, structured message that asserts an association between specific data and a particular public key. An 'identity certificate' is then a particular class of certificate that associates a particular identifier with a particular public key. (It will be argued later in this paper that the term 'identifier' should really be replaced by 'nym'). Regrettably, most of the literature uses the term 'certificate' to refer to both of these concepts, often in the same sentence, despite the fact that the differences are extremely important.
According to conventional thinking, a certificate needs to be created by a trusted 'public key certification authority' (CA). A CA digitally signs each certificate using its own private key. In most schemes, that certificate is provided to the party that claims the particular key to be its own, who includes it in the messages that they send. A message with a CA's certificate attached therefore functions in a manner analogous to a letter applying for a job being accompanied by a letter from a referee attesting to something about the applicant, such as their identity, their good character, their experience, or their qualifications.
A CA needs to undertake some form of authentication process in order to satisfy itself that the claimed association actually exists. A conventional approach is to depend on the services of a Registration Authority (RA), such as a Post Office. A comprehensive process would require the person with whom the key is to be associated to undertake all of the following:
Because of the effort and expense involved, the onerousness and the demeaning nature of the process, schemes generally compromise on these requirements. Many ignore them almost entirely by, for example, depending on some prior relationship between the person and the RA or CA.
CAs deflect attention from the critical weaknesses of their registration processes by drawing attention to the physical and electronic security of the facilities that they use to generate the certificate.
The dominant standard at present is the family of CCITT X.500 standards, in particular X.509 (X.509 1988, Housley et al. 1999). The current version of X.509 is number 3, usually referred to as X.509v3, which was finalised in 1997. A set of standards, dubbed PKIX, enables use of X.509 approaches within the web-context (W3C 2000). Guidance has been provided by texts such as Ford & Baum (1997), Adams & Lloyd (1999) and Austin et al. (2000).
Ellison (1997) describes the history this way: "the X.500 proposal was published [in the late 1980s]. It was to be a global directory of named entities. To tie a public key to some node or sub-directory of that structure, the X.509 certificate was defined. The Subject of such a certificate was a path name indicating a node in the X.500 database - a so-called 'Distinguished Name'. The X.500 dream has effectively died but the X.509 certificate has lived on. The distinguished name took the place of a person's name and the certificate was called an 'identity certificate', assumed to bind an identity to a public key ...". In short, X.509 was the hammer that came to hand when the nail was discovered.
All forms of PKI necessarily involve some degree of intrusiveness, in order that sufficient quality can be achieved. Conventional PKI, built around X.509v3 certificates, is especially severe. Implementations commonly have many of the following features:
Current X.509v3 certificates go so far as to permit an agent of an organisation to protect their personal identity through the use of a role-title; but they actually preclude an individual (referred to as a 'residential person') from having that capability. Moreover, some implementations may preclude a residential person from possessing multiple personal key-pairs, even though the same person is permitted to possess multiple key-pairs for organisations that they represent.
Some schemes even involve the key-pair generation process being compulsorily performed by some organisation on behalf of individuals, and compulsory storage (or 'escrow') of the private key.
X.509v3 certificates provide a limited means for communicating attributes, within the primary certificate or through the creation of secondary certificates which may attest to one or more characteristics of the individual. But the attributes are inherently linked to and dependent on the primary certificate, which bears the individual's identifier.
Given the nature of X.509v3-based PKI, individuals, including not only consumers, but also employees and contractors, especially those in sensitive occupations, are justified in having serious concerns about schemes of this nature being inflicted upon them.
X.509v3-based PKI is inherently hierarchical. This is because trust in the CA is not automatic, and each layer of CAs needs to be attested to by some superior layer. Conventional PKI therefore depends on one partly but not entirely trusted third party, which in turns depends on another such partly but not entirely trusted third party, which needs to be attested to be some further superior layer. This results in an unholy spiral up to some mythical authority in which everyone is assumed to have ultimate trust. Trust in the real world has never worked like that, and trust in cyberspace won't either.
Such shemes can also be readily argued to be authoritarian in nature (Clarke 1994b). For example, there is an intrinsic assumption that all parties providing certificates are required to disclose their identity, even if the only functional need is to communicate eligibility (e.g. age, their age, qualifications, or agency relationship with a principal).
The further assumption is made that the 'distinguished name' has to be unique within the 'name-space'. This precludes the second and subsequent, say John Robinson, from using their own name without some kind of qualifier. It also provides no basis for individuals to use alternative identifiers, and implicitly denies individuals the capability to have and use multiple key-pairs, and multiple certificates. The engineers who created the X.509 standard appear to have been blithely unaware that multiple identities per person are entirely legal in many jurisdictions, including those whose legal systems derive from the United Kingdom (Clarke 1994c).
A further feature of schemes of this kind is an implicit assumption that a CA will provide some form of warranty and/or indemnity to accompany the assurance, i.e. to recognise financial liability in the event that the assurance transpires to be incorrect, and that a party's reasonable dependence on the assurance resulted in economic cost. In practice, however, CAs are very eager to phrase what are commonly termed 'Certificate Policy Statements' in such a manner that they minimise their exposure.
With some qualifications, X.509v3 architectures are designed work within an 'absolute trust' view of security, rather than a 'risk-management' approach. On the other hand, actual implementations tend to compromise this, sometimes severely. In particular, most operational schemes have only one layer of CA, and the basis on which each recipient of a message is supposed to trust those CAs is a 'self-signed' certificate, i.e. blind trust in the company, its intentions, and its procedures.
For whatever reason, the major implementations of X.509-based PKI, such as that based on the Verisign certificates embedded in commercially-available web-browsers, are at best 'relaxed' applications of formal X.509 standards, and hence the current PKI is even less meaningful than that which would be feasible if it was applied as intended.
Underlying digital signatures and PKI is the assumption that the holder of a private key will be able to ensure its security. During the 1999-2000 period, corporate servers have been subject to a rash of electronic break-ins. The ease with which many of these have been performed have demonstrated the serious inadequacy of the precautions taken by organisations of all kinds and all sizes.
To date, it does not appear that private keys have been a particular target of the crackers. There are likely to have been multiple reasons for this, not least the relatively small usage of private keys, and the fact that there have been plenty of more attractive items of data to aim for. As and when private digital signature keys attract more attention, it is reasonable to expect that more attacks will be made, and that many corporate keys will be compromised.
Conventional PKI also assumes that consumers and citizens will have, and will need to use, private keys. The author has recently supervised a project to examine the scope for consumers to protect their keys within 'commodity workstations', such as Windows, MacOS and Linux machines directly connected to the Internet via commercial Internet access service providers (Kaiser 2000). In general, commodity workstations have very limited security features within the available hardware or systems software. There are few products available that would enable consumers to graft security features on to their work-and-play facilities, and such products as exist require considerable expertise to install and configure.
Private keys are susceptible to a vast array of risks, both of capture, and of invocation without the authority of, or even knowledge of, the consumer/citizen. As Ellison & Schneier (2000b) put it: "Alice's digital signature does not prove that Alice signed the message, only that her private key did. When writing about non-repudiation, cryptographic theorists often ignore a messy detail that lies between Alice and her key: her computer. If her computer were appropriately infected, the malicious code could use her key to sign documents without her knowledge or permission. Even if she needed to give explicit approval for each signature (e.g., via a fingerprint scanner), the malicious code could wait until she approved a signature and sign its own message instead of hers. If the private key is not in tamper-resistant hardware, the malicious code can just steal the key as soon as it's used".
In short, the context of use of digital signatures is such that very little confidence can be placed in the meaningfulness and reliability of authentication processes that depend on them.
A range of other difficulties have been identified (Ellison & Schneier 2000).
For example, there are difficulties in detecting that a private key has been compromised, and after that there are difficulties in implementing an effective revocation process. This is especially serious if retrospective revocation is permitted (i.e. notification to a set of recipients that a private key had been compromised since some past time, and that the sender reserves the right to repudiate transactions signed after that time). Time-stamping is a critical aspect of revocation processes; but it is not an assured, secure service.
Another issus is that X.509-based PKI assumes either that there is a single global name-space (i.e. world government, and a single, unique identifier imposed on every citizen of the world), or that multiple name-spaces exist, but that they inter-operate (and that each regional authority imposes a single, unique identifier on every person under their jurisdiction).
Ellison (1996) long ago concluded that "if the bond between key and person is broken, no layer of certificates will strengthen it. On the contrary, in this case certificates merely provide a false sense of security to the [recipient]".
The final issue strikes at the very heart of PKI. The presumption made by most commentators is that a certificate provides the message-recipient with assurance that the sender was indeed who the sender purports to be. But that is not the case.
The concept of 'authentication' has been seriously misunderstood by the designers of X.509-based PKI. Authentication is a process whereby a degree of confidence is established in the truth of an assertion. There are many kinds of assertions that can be the subject of authentication processes. Among them are assertions of the form 'this artefact has a value equivalent to so much of a particular currency', and 'the sender of this message has a credential that attests to their eligibility to perform a particular function'.
In order to discuss the real meaning of a certificate, some definitions of terms are needed:
One (but only one) kind of assertion that may be subject to authentication is 'the sender of this message is the (or an) entity that uses a particular identifier'.
But a certificate doesn't attest to that. It does attest that:
Depending on the registration process that was applied, it may also attest that:
A certificate provides no assurance about whether:
Morover, such assurance as a certificate provides is qualified by terms dictated by the CA's lawyers; and very limited recourse is available should the assurance be wrong.
McCullagh & Caelli (2000) argue that "In the legal sense an alleged signatory to a document is always able to repudiate a signature that has been attributed to him or her. The basis for a repudiation of a traditional signature may include:
"There is a strong movement to legally reverse the onus of proof for digital signatures. The position being promoted is for the alleged signatory to have the onus of proof in establishing that he or she did not digitally sign a given document. ... It is submitted that the law should not in the electronic commerce environment alter this position as regards to the legal rights of parties to repudiate a digital signature".
McCullagh and Caelli conclude that "Without a trusted computing system, neither party - the signer or the recipient - is in a position to produce the necessary evidence to prove their respective case". In short, an X.509v3 PKI is of no use, unless conditions are satisfied that manifestly are not satisfied.
The inescapable conclusion is that the contemporary implementation of PKI in the Internet context is a complete waste of time and effort, and represents nothing more than a gesture towards the need for security.
The previous sections have focussed mainly on technical inadequacies, but mentioned privacy in passing. This section summarises the privacy impact of conventional digital signatures and PKI. Greenleaf & Clarke (1997) identified a wide range of threats, and categorised them as follows:
Some of these problems are features of conventional PKI schemes that could be avoided or designed around. Many, however, are direct implications of the nature of the X.509 architecture and certificate design.
Conventional PKI are ineffectual and privacy-invasive. Fortunately, there are other ways to address the need for trust in marketspaces. Their discovery depends in part on re-definition of the problem.
The 'web of trust' approach is intrinsic to the longstanding alternative product Pretty Good Privacy (PGP) - ( (Zimmerman 1995, Garfinkel 1995, Bacard 1995, Stallings 1995). This avoids the need for professional CAs, because certificates can be issued by anyone. Fault-tolerance is achieved by depending on multiple certificates, probably with varying weightings assigned to them by the evaluator, on the basis of the degree of trust they place in the person who provided the certificate. The 'identifier' used is the email-address. This is unique, simply because of the manner in which domain-names are allocated, and aliases and user-names are assigned.
The approach requires message-recipients to consider the extent to which they really need assurance, and confront the simple fact that all assurance is relative rather than absolute. The PGP concept is non-deterministic and uncomfortable, but it reflects the reality of social and economic activity.
This finds echoes in the works of some theorists. For example, Maurer (1996) highlights the fragility of the assumption that the determination of trust is deterministic and computable on the basis of certificates, and discusses the alternative of a probabilistic approach to the problem. This is related to the naive military concept of 'absolute trust' and the less naive, more realistic and less expensive alternative of a 'risk-managed' approach to security issues.
Criticisms have been levelled at PGP's specific implementation of the 'web of trust' notion. But arguments have been pursued for the concept to be broadened and applied more generally (Grossman 2000).
Another standardisation process is that which grew out of Simple Public Key Architecture (SPKI) - (Ellison 1996, IETF 1997-, Wang 1998, Ellison 2000). The momentum has now shifted to a parallel initiative, the Simple Distributed Security Infrastructure (SDSI) - (Rivest & Lampson 1996, SDSI 1996, Ellison 2000). The two approaches are in the process of being harmonised.
The key element of SDSI is that the X.509 nirvana of a single, global name-space has been abandoned. With it, the presumption has been removed that 'name' (or, better expressed, 'identifier') is reliably bound to a particular entity. In effect, the certificate binds a public key (and hence a key-pair) to an entity that only the CA knows. No warranties are provided by the CA to the recipient of the message as to who the keyholder is.
Attributes are associated with public keys, not with identities of real-world entities. Hence, for example, a recipient can be assured that a particular message was provided by a medical practitioner, or a person over 18, or over 65, or in possession of power of attorney for a company for purchases up to $10,000; but the certificate is silent about the identity of the person who is using the key (Ellison 2000).
Brands (2000) proposes a different conception and implementation of digital certificates, such that privacy is protected without sacrificing security. The validity of such certificates and their contents can be checked, but the identity of the certificate-holder cannot be extracted, and different actions by the same person cannot be linked. Certificate holders have control over what information is disclosed, and to whom.
Trust may be based on reputation, by which is meant 'generally held' positive opinion about an entity.
There are several ways in which 'generally held' opinion can arise. These include:
An earlier section argued that the privacy impacts of PKI are severe. It is critical that any assurance mechanism that is implemented on the Internet be at least tolerant, and even actively supportive, of anonymity and pseudonymity. These concepts, examined in Clarke (1993), Clarke (1994) and Clarke (1999), are critical to ensure that the advent of cyberspace does not mean the death of private space.
If PKI is to serve the needs of information society, the focus must be moved away from identities of individuals. One direction of importance is to address the question of agents, both other humans and artefacts, and mechanisms for effective delegation to them.
Another vital set of needs is for:
These objectives can be achieved through the application of the concept of a 'nym'. This is the pseudo-identity that arises from anonymous and pseudonymous dealings (McCullagh 1996-, Clarke 1999).
An earlier section offered definitions for the terms 'entity', 'identity' and 'identifier'. Two further terms require explanation:
Nyms are not mere imagination: technologies exist that enable them. See EPIC (1997-) and Clarke (1999a). Moreover, it may be very important to the future of e-commerce that infrastructure support nyms, and that people adjust to their existence and nature. As Ellison (1997) argued: "The [U.S. House Hearing] asked 'Do you know who you are doing business with?'. Before answering that question, one should really answer the two questions: 'Do you need to know who you are doing business with?', and 'Can you know who you are doing business with?'".
Nyms are in practice replacing identifers. Leaving aside services / protocols such as IRC, MUDDs and ICQ:
Any approach to inculcating trust in marketspaces will need to implement persistent nyms at least for the consumer side of the transaction.
An approach that avoids and dissolves the problems with PKI rather than trying to solve them, is trust-management systems (Blaze et al. 1999a, Blaze et al. 1999b). These can be viewed as generalisations of longstanding access control techniques for achieving security of software processes and data.
Trust management systems are argued by Blaze (1999) to have five basic components:
The trust management approach also offers ways of addressing privacy, because it is much less concerned about identified individuals, because it focusses primarily on privileges and restrictions; and because it can deal with nyms representing pseudonymous roles just as readily as with names that are associated with an identified human.
The originally perceived need was that, for e-commerce to become mainstream, at least merchants, and probably also consumers, needed to identify themselves, and enable authentication of the identifiers they provided.
But the technical orientation that has been adopted by the proponents of PKI does not address the needs of the Information Society. The real social need is for trust in e-interactions: for consumers to have security and convenience, but without surrendering personal data to sellers (and hence to others who may gain access to it, such as other merchants, and agencies of government).
Conventional X.509v3-based PKI suffers from such serious inadequacies that its application is highly suspect. The existence of an increasingly rich set of alternatives to conventional, hierarchical PKI shows that the time has now come to recognise the inherent deficiencies of X.509 architectures, abandon attempts to impose them on open, public systems, and restrict their use to within organisations that have strict hierarchical structures.
Adams C. & Lloyd S. (1999) 'Understanding the Public-Key Infrastructure' New Riders Publishing, 1999
Austin T., Huaman D. & Austin T.W. (2000) 'Public Key Infrastructure Essentials', John Wiley & Sons, 2000
Bacard A. (1995) 'The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP Privacy Software', Peachpit Press 1995, at http://www.andrebacard.com/press.html
Blaze M. (1999) 'Using the KeyNote Trust Management System', November 1999, at http://www.crypto.com/trustmgt/kn.html
Blaze M., J. Feigenbaum J., Ioannidis J. & Keromytis A. (1999a) 'The KeyNote Trust-Management System Version 2' RFC2704, IETF, September 1999, at http://www.crypto.com/papers/rfc2704.txt
Blaze M., Feigenbaum J., Ioannidis J. & Keromytis A. (1999b) 'The Role of Trust Management in Distributed System Security' Chapter in Vitek & Jensen (Eds.) 'Secure Internet Programming: Security Issues for Mobile and Distributed Objects, Springer-Verlag, 1999, at http://www.crypto.com/papers/trustmgt.pdf
Branchaud, M. (1997) 'A Survey of Public Key Infrastructures', Master's Thesis, Department of Computer Science, McGill University, Montreal, March 1997, at http://www.xcert.com/~marcnarc/PKI/thesis/
Brands S.A. (2000) 'Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy' MIT Press, 2000
Clarke R. (1993) 'Computer Matching and Digital Identity' Proc. Computers, Freedom & Privacy, February 1993, at http://www.anu.edu.au/people/Roger.Clarke/DV/CFP93.html
Clarke R. (1994a) 'The Digital Persona and its Application to Data Surveillance' The Information Society 10,2 (June 1994), at http://www.anu.edu.au/people/Roger.Clarke/DV/DigPersona.html
Clarke R. (1994b) 'Information Technology: Weapon of Authoritarianism or Tool of Democracy?' Proc. World Congress, Int'l Fed. of Info. Processing, Hamburg, September 1994. At http://www.anu.edu.au/people/Roger.Clarke/DV/PaperAuthism.html
Clarke R. (1994c) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Info. Technology & People 7,4 (December 1994). At http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html
Clarke R. (1996) 'Cryptography in Plain Text', Privacy Law & Policy Reporter 3, 2 (May 1996) 24-27, 30-33, at http://www.anu.edu.au/people/Roger.Clarke/II/CryptoSecy.html
Clarke R. (1997) 'Chip-Based ID: Promise and Peril' Proc. Int'l Conf. on Privacy, Montreal, 23-26 September 1997, at http://www.anu.edu.au/people/Roger.Clarke/DV/IDCards97.html
Clarke R. (1998) 'Public Key Infrastructure: Position Statement', May 1998, at http://www.anu.edu.au/people/Roger.Clarke/DV/PKIPosn.html
Clarke R. (1999a) 'Privacy-Enhancing and Privacy-Sympathetic Technologies: Resources', April 1999, at http://www.anu.edu.au/people/Roger.Clarke/DV/PEPST.html
Clarke R. (1999b) 'Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice' Proc. User Identification & Privacy Protection Conf., Stockholm, 14-15 June 1999, at http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html
Clarke R. (1999c) 'The Willingness of Net-Consumers to Pay: A Lack-of-Progress Report', Proc. 12th International Bled EC Conf., Slovenia, June 1999, at http://www.anu.edu.au/people/Roger.Clarke/EC/WillPay.html
Clarke R. (2000a) 'Privacy Requirements of Public Key Infrastructure' Internet Law Bulletin 3, 1 (April 2000) 2-6. Republished in 'Global Electronic Commerce', published by the World Markets Research Centre in collaboration with the UN/ECE's e-Commerce Forum on 'Electronic Commerce for Transition Economies in the Digital Age', 19-20 June 2000, at http://www.anu.edu.au/people/Roger.Clarke/DV/PKI2000.html
Clarke R. (2000b) 'Interview', September 2000, at http://www.anu.edu.au/people/Roger.Clarke/DV/BiometixIview.html
Diffie W. & Hellman M. (1976) 'New directions in cryptography' IEEE Transactions on Information Theory, pp. 644-654, November 1976
Ellison C. (1996) 'Establishing Identity Without Certification Authorities', Proc. 6th USENIX Security Symposium, San Jose CA, July 22-25, 1996, at http://world.std.com/~cme/usenix.html
Ellison C. (1997) 'What do you need to know about the person with whom you are doing business?' Written testimony of Carl M. Ellison to the U.S. House of Representatives Science and Technology Subcommittee, Hearing of 28 October 1997: Signatures in a Digital Age, at http://world.std.com/~cme/html/congress1.html
Ellison C. (1999) 'The nature of a usable PKI' Computer Networks 31 (1999) 823-830
Ellison C. (2000) 'Naming and Certificates', Proc. Computers, Freedom & Privacy 2000, at http://www.cfp2000.org/papers/ellison.pdf
Ellison C. (2000) 'SPKI/SDSI and the Web of Trust' September 2000, at http://world.std.com/~cme/html/web.html
Ellison C. & Schneier B. (2000a) 'Risks of PKI: Electronic Commerce' Inside Risks 116, Commun. ACM 43, 2 (February 2000), at http://www.counterpane.com/insiderisks5.html
Ellison C. & Schneier B. (2000b) 'Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure' Computer Security Journal, v 16, n 1, 2000, pp. 1-7, at http://www.counterpane.com/pki-risks.html
EPIC (1997-) 'EPIC Online Guide to Practical Privacy Tools', at http://www.epic.org/privacy/tools.html
Ford W. & Baum M.S. (1997) 'Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption', Prentice Hall, 1997
Froomkin A.M. (1996) 'The Essential Role of Trusted Third Parties in Electronic Commerce' Oregon L. Rev. 75,1 (Spring, 1996) 49-115
Garfinkel S. (1995) 'PGP: Pretty Good Privacy' O'Reilly & Associates, 1995, AT http://www.ora.com/catalog/pgp/
Greenleaf G.W. & Clarke R. (1997) `Privacy Implications of Digital Signatures', IBC Conference on Digital Signatures, Sydney (March 1997), at http://www.anu.edu.au/people/Roger.Clarke/DV/DigSig.html
Grossman W. (2000) 'Circles of Trust', Scientific American, August 2000, at http://www.sciam.com/2000/0800issue/0800cyber.html
Housley R., Ford W., Polk W. and Solo D. (1999) 'Internet X.509 Public Key Infrastructure Certificate and CRL Profile', RFC 2459, January 1999, at http://www.ietf.org/rfc/rfc2459.txt
IETF (1997-) 'Simple Public Key Infrastructure (SPKI)', at http://www.ietf.org/html.charters/spki-charter.html
Kaiser T. (2000) 'Secure Storage of Private Keys on Commodity Workstations', Unpublished Honours Thesis, Department of Computer Science, Australian National University, November 2000
Khare R. & Rifkin A. (1997) 'Weaving a Web of Trust' Revised version of a paper World Wide Web Journal 2 3 (Summer 1997) 77-112, at http://www.cs.caltech.edu/~adam/local/trust.html
Lampson B., Abadi M., Burrows M. & Wobber E. (1992) 'Authentication in distributed systems: theory and practice' ACM Transactions on Computer Systems, 10(4):265{310, November 1992, at http://gatekeeper.dec.com/pub/DEC/SRC/research-reports/abstracts/src-rr-083.html
McCullagh D. (1996-) 'Nym', at http://www.well.com/user/declan/nym/
McCullagh A. & Caelli W. (2000) 'Non-Repudiation in the Digital Environment' First Monday 5, 8 (August 2000), at http://firstmonday.org/issues/issue5_8/mccullagh/index.html
Maurer U. (1996) 'Modelling a Public-Key Infrastructure' Proc. 1996 European Symposium on Research in Computer Security (ESORICS' 96), Lecture Notes in Computer Science, Springer-Verlag, vol. 1146, pp. 325-350, 1996, at ftp://ftp.inf.ethz.ch/pub/publications/papers/ti/isc/wwwisc/Maurer96b.pdf
Rivest R.L. & Lampson B. (1996) 'SDSI - A Simple Distributed Security Infrastructure', 15 Sep 1996, at http://theory.lcs.mit.edu/~rivest/sdsi10.html
Schneier B. (1996) 'Applied Cryptography' Wiley, 2nd Ed., 1996
SDSI (1996-) 'A Simple Distributed Security Infrastructure (SDSI)', 1996-, at http://theory.lcs.mit.edu/~cis/sdsi.html
Stallings W. (1995) 'Protect Your Privacy: The PGP User's Guide' Prentice Hall, 1995
W3C (2000) 'Public-Key Infrastructure (X.509) (pkix)', at http://www.ietf.org/html.charters/pkix-charter.html
Wang Y. (1998) 'SPKI' December 1998, at http://www.hut.fi/~yuwang/publications/SPKI/SPKI.html
X.509 (1988) 'The Directory - Authentication Framework', Volume VIII of CCITT Blue Book, pages 48-81, CCITT, 1988
Zimmermann P.R. (1995) 'PGP 5.0 User's Guide' MIT Press, 1995, at http://mitpress.mit.edu/book-home.tcl?isbn=0262740176
Go to Roger's Home Page.
Go to the contents-page for this segment.
Created: 6 November 2000
Last Amended: 9 November 2000
These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content). |
The Australian National University Visiting Fellow, Faculty of Engineering and Information Technology, Information Sciences Building Room 211 | Xamax Consultancy
Pty Ltd, ACN: 002 360 456 78 Sidaway St Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 1472, 6288 6916 |