how can PKI/CA ensure that a public key belongs to someone?
@Acer You can't. The idea of having PKI infrastructure wasn't meant to confirm your identity.
Instead it was built on as a "web of trust" where people can vouch if it's really your key.
@Acer yep. Unless you want someone to vouch for it.
Some PKI like ubuntu keyserver provide comments section if i'm not mistaken.
@Acer wait is it comment section or just a section where there's a list of people whk signed your key? I forgot. I never upload my key to a keyserver
What is whk?
Is it "Who"?
How can the list vouch for keys
@Acer yes. Pardon the typo.
@Acer i can vouch for your key by signing if you want to. But that defeats the purpose isn't it.
The key (not literally as in key in "public key" . But instead "the main idea" in a system) is "web of trust"
actually I m not familiar with the concept web of trust WOT
I only know some darknet services has extensions of it
When did they introduce wot in the public key system
@Acer since the very begining of the public key invention.
It meant to be used so people can vouch for each other. It's indeed problematic on "how can you trust the key?" Or "How can you be sure if it's not an under cover agent that pushing him (the key owner) to ease the investigation".
But i think you can always do something to make people vouch for your keys.
@Acer WOT = Faith.
Yep. Something like that, but instead of one way connection like faith are, it's a "web" where many people can get involved.
Hmm...
Vulnerabilities
Then gradually it can be a honeypot.
Live nodes in the web remain
Who can leave longer than the country / system who owns agencies and machines
@Acer Yep. That's the drawbacks. Even public key aren't that secure.
You can read the docs on how public key are generated and how it became less and less secure as computer capabilities being buffed overtime.
Maybe future is near
@Acer you might want to do a research on "double encryption method" where you would used both asymetric and symetric encryption.
I'm sure stackexchange, superuser, and stackoverflow already had this kind conversation before.
I ll focus on symmetric and asymmetric encryptions and digital signatures first and get rid of cryptographic topics
@Acer good luck on your research!
No research, just learning
@Acer research has always been used by scientist to refer their learning process.
I wanna be cool and hip like scientist too. That's why i said "research" instead of "finding".
Someone here = pki
Ubuntu keyserver = pki example
Comments section = vouch method example
The example means they have all kinds of means to vouch for keys, but no proof or authenticity and no standard one.
Right?
@deesapoetra
PKI should connect to root central authority.
If you just exchange public keys with friends, you needn't a pki