I have been reading the paper Identity-Based Encryption from the Weil Pairing by Boneh and Franklin. It presents a particular technical solution to a challenge posed by Shamir in 1984. By way of introduction it also spells out briefly what such a solution provides.
Identity-Based Encryption, (IBE), is somewhat like public key technology in that there are public and private keys. With RSA the person who will own the private key generates it and concomitantly produces the related public key as a byproduct. He distributes the public key to whom ever he would like to receive secure messages from. He may put it in a trusted public directory, PD, of public keys. The trust here is that it is infeasible for an attacker to put a bogus key in the PD that claims to be for the victim, when in fact the attacker holds the related private key. With RSA there are other possible means of distribution for the public key such as PGP’s Web of Trust. A key’s fingerprint is much smaller than the key and can be conveyed in place of the public key by word of mouth or other conventional trusted means. The PD is not then trusted to reject bogus entries, merely to convey the bulky public key from its fingerprint. It is easy to check that a public key matches a fingerprint.
In common with public key crypto, Identity-Based Encryption, IBE, presumes some string of bits, a public key, for an individual. It is assumed that:
The private key is not calculated until this demand is made of the PKG. It is predetermined by and depends on some public data created and published when the PKG was established, and also on the universal master key which only the PKG knows. There is enough published data for a sender to generate a public key from the distinguished name.
In place of a distinguished name, a date which implicitly instructs the PKG to not reveal the corresponding private key until that date. Other descriptive phrases may be used in place of or along with a distinguished name.
There is no great loss if you lose your private key. Presumably you can get it again like you did the first time. The PKG has the same problems, and more, as the Certificate authority.
There are proposals for splitting the authority and responsibility of the PKG into several parts where from some quorum is required to gain the secret key. I suppose this is like Shamir secret sharing.
Sender computes recipients public key, gpk(DN, PKGk) and enciphers message. Recipient convinces PKG, who holds PKGx, that his name is indeed DN, whereupon PKG computes h(DN, PKGx), the recipient’s private key, and returns it to recipient. Recipient can now apply d to decipher message.