Shostack + Friends Blog Archive


Jon Callas on Comedies, Tragedy and PKI

Prompted by Peter Gutmann:

[0] I’ve never understood why this is a comedy of errors, it seems more like a tragedy of errors to me.

Jon Callas of PGP fame wrote the following for the cryptography mail list, which I’m posting in full with his permission:

That is because a tragedy involves someone dying. Strictly speaking, a tragedy involves a Great Person who is brought to their undoing and death because of some small fatal flaw in their otherwise sterling character.

In contrast, comedies involve no one dying, but the entertaining exploits of flawed people in flawed circumstances.

PKI is not a tragedy, it’s comedy. No one dies in PKI. They may get embarrassed or lose money, but that happens in comedy. It’s the basis of many timeless comedies.

Specifically, PKI is a farce. In the same strict definition of dramatic types, a farce is a comedy in which small silly things are compounded on top of each other, over and over. The term farce itself comes from the French “to stuff” and is comedically like stuffing more and more feathers into a pillow until the thing explodes.

So farces involve ludicrous situations, buffoonery, wildly improbable/implausible situations, and crude characterizations of well-known comedic types. Farces typically also involve mistaken identity, disguises, verbal humor including sexual innuendo all in a fast-paced plot that doesn’t let up piling things on top of each other until the whole thing bursts at the seams.

PKI has figured in tragedy, most notably when Polonius asked Hamlet, “What are you signing, milord?” and he answered, “OIDs, OIDs, OIDs,” but that was considered comic relief. Farcical use of PKI is far more common.

We all know the words to Gilbert’s patter-song, “I Am the Very Model of a Certificate Authority,” and Wilde’s genius shows throughout “The Importance of Being Trusted.” Lady Bracknell’s snarky comment, “To lose one HSM, Mr. Worthing, may be regarded as a misfortune, but lose your backup smacks of carelessness,” is pretty much the basis of the WebTrust audit practice even to this day.

More to the point, not only did Cyrano issue bogus short-lived certificates to help woo Roxane, but Mozart and Da Ponte wrote an entire farcical opera on the subject of abuse of issuance, “EV Fan Tutti.” There are some who assert that he did this under the control of the Freemasons, who were then trying to gain control of the Austro-Hungarian authentication systems. These were each farcical social commentary on the identity trust policies of the day.

Mozart touched upon this again (libretto by Bretzner this time) in “The Revocation of the Seraglio,” but this was comic veneer over the discontent that the so-called Aluminum Bavariati had with the trade certifications in siding sales throughout the German states, as well as export control policies since Aluminum was an expensive strategic metal of the time. People suspected the Freemasons were behind it all yet again. Nonetheless, it was all farce.

Most of us would like to forget some of the more grotesque twentieth-century farces, like the thirties short where Moe, Larry, and Shemp start the “Daddy-O” DNS registration company and CA or the “23 Skidoo” DNA-sequencing firm as a way out of the Great Depression. But S.J. Perleman’s “Three Shares in a Boat” shows a real-world use of a threshold scheme. I don’t think anyone said it better than W.C. Fields did in “Never Give a Sucker an Even Break” and “You Can’t Cheat an Honest Man.”

I think you’ll have to agree that unlike history, which starts out as tragedy and replays itself as farce, PKI has always been farce over the centuries. It might actually end up as tragedy, but so far so good. I’m sure that if we look further, the Athenians had the same issues with it that we do today, and that Sophocles had his own farcical commentary.

One comment on "Jon Callas on Comedies, Tragedy and PKI"

  • Jon says:

    Peter rightly pointed out an error in my farce.

    It was Jerome K. Jerome who wrote “Three Shares in a Boat”. He followed it up with “Three Certificates on the Bummel”, a reference to the sharing of commercial vendors’ code-signing keys with malware authors.

Comments are closed.