Public Key Infrastructure

Evey website you use makes use of Public Key Infrastructure (PKI) to provide you with the good bet that the server you are feeding your credit card information into is in fact the one that is authorized to serve up the web address you are looking at in your address bar.

This is done with X.509 certificates and TLS. We generally only use a form of TLS that requires one side to have a public key that is verifiable, but the requirement can be two sided so that you know that you are talking to such and such a server and it knows it is talking to you in particular because you have the private key corresponding to what it knows as your public one, or there’s a certification process such as X.509.

An alternative PKI is Pretty Good Privacy (PGP). In PGP instead of having certificates issued by central authorities that have keys installed on your OS you have what is called a “Web of Trust” that is created by the various different keys you have trusted, and who they trust.

These two systems use the same key algorithms and can use each other’s keys. The different is solely in the standard used to provide authentication that the keys are valid.

There is already a project, Monkey Sphere, that is creating a system that allows one to combine the two so that the web of trust can be used in places where the more traditional form is X.509, and visa versa. We believe this project can provide a good foundation for authentication and trust in Homestead. The trust level of the key is an obvious scoring point for Zero Trust and X.509 can be used to authenticate service and device keys that have various renewal requirements. The Web of Trust tells us how much we trust the root key that signed whatever key we are looking at; provided via an X.509 certificate.

If we could trust each others’ keys we could trust each others’ devices and allow them to access stuff we’d like to share with them. We can let our grandparents look at photos of the kids without having to create an account in one or another cesspool by letting her cell phone directly access our own central store of pictures. Open Source developers use PKI to authenticate each others’ code all the time. It works pretty good but there are of course weaknesses.

Done right, PKI is hard to break, which is why the whole Internet uses it. Done wrong it’s pretty pointless. So far it’s been tough to make a user friendly system, but there are promising technologies that could be very useful to solving this problem.