how can PKI/CA ensure that a public key belongs to someone?

@Acer You can't. The idea of having PKI infrastructure wasn't meant to confirm your identity.
Instead it was built on as a "web of trust" where people can vouch if it's really your key.

@deesapoetra

If pki can t vouch it, how can people vouch it via pki?

@Acer well. Here's a good way to look at it.
I publish my public key. And i mentioned it in social media for example.
People would vouch for my key that way.

Or... i can built an internal web of trust when we were actually friends with each other in real life and would vouch each other key.

@deesapoetra

PKI should connect to root central authority.
If you just exchange public keys with friends, you needn't a pki

@Acer yep. Unless you want someone to vouch for it.
Some PKI like ubuntu keyserver provide comments section if i'm not mistaken.

@Acer wait is it comment section or just a section where there's a list of people whk signed your key? I forgot. I never upload my key to a keyserver

@deesapoetra

What is whk?
Is it "Who"?
How can the list vouch for keys

Follow

@Acer i can vouch for your key by signing if you want to. But that defeats the purpose isn't it.
The key (not literally as in key in "public key" . But instead "the main idea" in a system) is "web of trust"

@deesapoetra

actually I m not familiar with the concept web of trust WOT
I only know some darknet services has extensions of it
When did they introduce wot in the public key system

@Acer since the very begining of the public key invention.
It meant to be used so people can vouch for each other. It's indeed problematic on "how can you trust the key?" Or "How can you be sure if it's not an under cover agent that pushing him (the key owner) to ease the investigation".
But i think you can always do something to make people vouch for your keys.

@deesapoetra

I still can t get wot.

>How

If not, the, just not.
Or wot = faith?

@Acer WOT = Faith.
Yep. Something like that, but instead of one way connection like faith are, it's a "web" where many people can get involved.

@deesapoetra

Hmm...

Vulnerabilities

Then gradually it can be a honeypot.
Live nodes in the web remain
Who can leave longer than the country / system who owns agencies and machines

@Acer Yep. That's the drawbacks. Even public key aren't that secure.
You can read the docs on how public key are generated and how it became less and less secure as computer capabilities being buffed overtime.

@Acer you might want to do a research on "double encryption method" where you would used both asymetric and symetric encryption.
I'm sure stackexchange, superuser, and stackoverflow already had this kind conversation before.

@deesapoetra

I ll focus on symmetric and asymmetric encryptions and digital signatures first and get rid of cryptographic topics

@Acer research has always been used by scientist to refer their learning process.
I wanna be cool and hip like scientist too. That's why i said "research" instead of "finding". :blobfoxboop:

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.