how can PKI/CA ensure that a public key belongs to someone?
@Acer You can't. The idea of having PKI infrastructure wasn't meant to confirm your identity.
Instead it was built on as a "web of trust" where people can vouch if it's really your key.
If pki can t vouch it, how can people vouch it via pki?
@Acer well. Here's a good way to look at it.
I publish my public key. And i mentioned it in social media for example.
People would vouch for my key that way.
Or... i can built an internal web of trust when we were actually friends with each other in real life and would vouch each other key.
PKI should connect to root central authority.
If you just exchange public keys with friends, you needn't a pki
@Acer yep. Unless you want someone to vouch for it.
Some PKI like ubuntu keyserver provide comments section if i'm not mistaken.
@Acer wait is it comment section or just a section where there's a list of people whk signed your key? I forgot. I never upload my key to a keyserver
What is whk?
Is it "Who"?
How can the list vouch for keys
@Acer i can vouch for your key by signing if you want to. But that defeats the purpose isn't it.
The key (not literally as in key in "public key" . But instead "the main idea" in a system) is "web of trust"
actually I m not familiar with the concept web of trust WOT
I only know some darknet services has extensions of it
When did they introduce wot in the public key system
@Acer since the very begining of the public key invention.
It meant to be used so people can vouch for each other. It's indeed problematic on "how can you trust the key?" Or "How can you be sure if it's not an under cover agent that pushing him (the key owner) to ease the investigation".
But i think you can always do something to make people vouch for your keys.
@Acer WOT = Faith.
Yep. Something like that, but instead of one way connection like faith are, it's a "web" where many people can get involved.
@Acer you might want to do a research on "double encryption method" where you would used both asymetric and symetric encryption.
I'm sure stackexchange, superuser, and stackoverflow already had this kind conversation before.
I ll focus on symmetric and asymmetric encryptions and digital signatures first and get rid of cryptographic topics
@Acer good luck on your research!
No research, just learning
@Acer research has always been used by scientist to refer their learning process.
I wanna be cool and hip like scientist too. That's why i said "research" instead of "finding".
@deesapoetra
Maybe future is near