Key Distribution

A classic problem in security in distributed systems is that of how to distribute the keys. In traditional world without computers and networks, it is done <#806#> out-of-band<#806#>, by meeting, letter, phone call etc. In networks now, we usually have a two level system of trusted servers (e.g. the X.500 Directory server, or even a secure subset of World Wide Web servers has been suggested). These can hold public keys publicly, and private keys for individuals with access control appropriately set. More recently, as networks have merged into the Internet spanning all countries and walks of life, a fully distributed trust model has also emerged, and is displayed in PGP (Pretty Good Privacy). Here, instead of a hierarchy of agency approved trusted key managers, certified with the authority of governments, individuals form a web of trust, by listing those they trust to introduce them to others, and vouch for the authenticity of a public key. This has social advantages, but suffers from one potential disadvantage, which is that the revocation of a key can be difficult to archive globally. The interesting thing about the PGP model of distributed trust is that it is more open, and at the same time can be made more inherently secure, than a system where an arbitrary central authority delegates trust.