Public Key Infrastructure
All of the identification systems presented in the previous section share a common flaw: they allow people to create private relationships between themselves and a particular computer system, but they don’t allow these relationships to be framed within the context of a larger society. They are all private identification systems, not public ones.
For example, say that Jonathan Marshall enrolls with a nationwide
online service and creates an email account. When he creates the
account, he gets a username, jonathan
, and a
password, deus451
. Whenever Jonathan wishes to
pick up his email, he uses his password to prove his identity. He
might even create a private key to prove his identity, and give his
online service a copy of his public key.
Now imagine that Jonathan loses his password. He can always go back
to the nationwide service and create a new username,
jmarshall
, and a new password,
excom3.0.
But how does Jonathan convince the
people he has been exchanging email with that jonathan
and jmarshall
are actually the same
person?
One way that Jonathan could try to prove his identity would be for him to email his telephone number to his friends, and ask them to call him. This might work for people who had heard Jonathan’s voice. Others, though, would have no way of knowing if Jonathan’s voice really belonged to Jonathan or belonged to an imposter. This technique also wouldn’t work if Jonathan was in the habit of posting in public forums: if there were thousands ...
Get Web Security and Commerce now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.