The authentication problem with the public key architecture

• Difficult to ensure that a public key belongs to who it says it does
• Signatures not a solution
• Solutions
  • Key fingerprint exchange over the 'phone or in person
    Fingerprint: 268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16
  • Organisations who collect public keys and ensure the authentication
    • Must trust the organisation's authentication process
    • Verisign etc.
  • GPG-style web of trust
    • Sign other's public keys with your secret key shows that you consider that public key as valid.
    • Anyone who considers your public key valid can consider any keys you've signed as valid.
    • Different levels of trust available
  [Next] [Contents]