c nerd blog — PKI & PGP

approach

luxembourg

All major operating systems and browsers support the Public Key Infrastructure (PKI). However, it has a deep structural weakness, a single point of failure: the organisations that issue the certificates. Unfortunately, certification authorities can be compromised, and I’m pretty sure that’s happened more often than is acknowledged. Worse, there’s no need to compromise an authority: some are so lazy they don’t check their customers’ identities, so it’s not difficult to buy false certificates.

All the same, I like the infrastructure. It makes trust between software components easier to maintain. The solution for me is not to depend on third party certification authorities, but to self–certify. There’s no obligation to trust my certificates, and I’m happy to hand them out in person so you know they come from me. Fortunately for me, I don’t get so much traffic, otherwise this approach would be difficult.

I support the alternative Pretty Good Privacy (PGP) because it’s reputedly a better technology, and a number of the technorati use it. All the same, it’s Betamax to the PKI’s VHS, so I’m only investing effort in PGP for one email address (for now). If you’re interested, here’s where to get software.

I’ve built all this using OpenSSL on OpenBSD. Of course, I’m not abandoning Mr. Cook’s and Mr. Gates’s companies: they do, after all, enable me to earn wages. I’m just adding my own layer of security outside their products.

I don’t know now whether anything I can do could help others protect themselves.