Establishing Identity Without Certification Authorities
Carl M. Ellison
It is commonly assumed that if one wants to be sure a public key
belongs to the person he hopes it does, he must use an identity
certificate issued by a trusted Certification Authority (CA). The
thesis of this paper is that a traditional identity certificate is
neither necessary nor sufficient for this purpose. It is especially
useless if the two parties concerned did not have the foresight to
obtain such certificates before desiring to open a secure channel.
There are many methods for establishing identity without using
certificates from trusted certification authorities. The relationship
between verifier and subject guides the choice of method. Many of
these relationships have easy, straight-forward methods for binding a
public key to an identity, using a broadcast channel or 1:1 meetings,
but one relationship makes it especially difficult. That relationship
is one with an old friend with whom you had lost touch but who appears
now to be available on the net. You make contact and share a few
exchanges which suggest to you that this is, indeed, your old friend.
Then you want to form a secure channel in order to carry on a more
extensive conversation in private. This case is subject to the
man-in-the-middle attack. For this case, a protocol is presented which
binds a pair of identities to a pair of public keys without using any
certificates issued by a trusted CA.
The apparent direct conflict between conventional wisdom and the
thesis of this paper lies in the definition of the word ``identity''
-- a word which is commonly left undefined in discussions of
View the full text of this paper in
POSTSCRIPT (209,487 Bytes) form.
To Become a USENIX Member, please see our