Inferno currently uses public key cyptography only for authentication. The Station to Station protocol (STS) using Elgamal certificates provides mutual authentication between parties. Authentication also yields a mutually held secret that can be used to encrypt the conversation or to add a cryptographic hash to each message sent. Rather than reinvent the wheel, we use the same line format as SSL.
Two methods are used for certificate creation: a one time registration procedure and a login procedure. The registration procedure requires a conversation between the CA and user during each registration. The login procedure requires one only when a password is assigned. Login uses a Bellovin-like encrypted key exchange.
Our trust relations are currently too simplistic; communicating parties must have keys signed by the same certifying authority. There are no attributes attached to certificates. This is sufficient for authentication but not for anything more advanced such as signing code, passing trust to third parties, etc. We are currently trying to build extensible certificates in the same vein as PolicyMaker and SDSI so that we can embed more semantics into them and reason on it.
For more information, see http://inferno.lucent.com/