It is important to recognize that while public-key cryptography eliminates the need for a private channel to exchange keys, it still requires that there be a tamper-proof channel. If one party can be tricked into accepting the wrong public key for the other party, then the system is compromised. If Alice sends a private message to Bob, but uses Joe’s public key instead of Bob’s key because Joe has fooled Alice, then Joe will be able to impersonate Bob. He will be able to read all of the private messages that Alice intends to send to Bob, messages that were meant to be for Bob’s eyes only.
Thus, integrity and authenticity remain essential. If the two parties share no prior information (public or otherwise) then this can pose a serious problem. One solution is to rely upon physical integrity. For example, if one party broadcasts his public key on the nightly news over network television, it is unlikely that the signal has been altered or that he has been replaced by an actor. If the viewer calls up close friends and relatives to confirm that they saw the same broadcast and the same public key was conveyed, she can be still more confident. Still, can one be completely certain? What if you have no idea what the person is supposed to look like? Is there a more practical solution?
The common solution, which is already being deployed in industry, is to use something called certificates. A certificate is somewhat analogous to a driver’s license. I can be confident that a public-key belongs to the person claiming ownership of that key provided somebody I know and trust vouches for that person. A certificate authority provides this service. To be a certificate authority, a company must be widely known and highly trusted. That company must be trusted to behave honestly, but also must be trusted to act with competence and diligence. If I receive a certificate with your name and public key, and if that certificate is digitally signed by a certificate authority I trust, then I can be confident that the public-key does indeed belong to you.
Why? Well, first of all I am confident that the signature cannot be produced by any entity other than the certificate authority; digital signatures are unforgeable. Second, I have placed my trust in the certificate authority to take whatever steps are needed to verify your identify. For example, perhaps you are required to show up in person and produce undeniable evidence of your identity (e.g. a fingerprint, a retina scan). I can now take the contents of the certificate at face value: you claim the stated public key as your own.
Certificate authorities reduce the problem of distributing public-keys in a insecure environment to the problem of distributing only one public-key — that of the certificate authority. Once everybody has that key, all other public keys can be safely distributed using signed certificates. This greatly simplifies the infra-structure needed for public-key cryptography. The public key for the certificate authority is very public. Everybody knows it and uses it (to verify certificates). There is only one such key (or a very small number, one for each certificate authority). Because it is so widely known and widely used, it is easily verified. Because of the small number of certificate authorities, their keys can be broadcast in various news media that are hard to alter. The New York Times is one example. Or on network television much like lottery numbers are announced. Or —
I suddenly looked at my watch. I had let myself drift off in thought and lost track of the time. My watch said 5:40. I still had plenty of time to get back to Ms. Cryer’s building before 6:15, but it would be silly to cut it close when I wasn’t doing anything other than sitting around day-dreaming. I might as well head back and wait in the lobby.
I stood up, stretched, and began to retrace my steps toward Michigan Avenue and the walk back north. Would the black Caprice still be there? I wondered.