[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: USENIX PGP key signing service

To: Carl Ellison <cme@cybercash.com>
Subject: Re: USENIX PGP key signing service
From: Wei Dai <weidai@eskimo.com>
Date: Thu, 30 May 1996 19:01:24 -0700 (PDT)
Cc: Carl Ellison <cme@acm.org>, Greg Rose <Greg_Rose@sydney.sterling.com>, spki@c2.org, jis@mit.edu, nealmcb@lucent.com
In-Reply-To: <2.2.32.19960530220923.00375c00@cybercash.com>
Reply-To: Wei Dai <weidai@eskimo.com>
Sender: owner-spki@c2.org

Carl wrote:

> The process I gave above binds a key to both a verified human (by USENIX's
> process of checking drivers' license, etc.) *and* an e-mail account.  The
> meaning is simple.  "Carl Ellison, a USENIX member, uses this signature key
> and receives mail at cme@cybercash.com".  The process of becoming assured of
> that Meaning is not the Meaning.

Sorry for the misunderstanding.  But I think this meaning is still
somewhat ambigous.  See below.

> That aside, I agree with you.  The meaning of a cert needs to be somthing
> simple like your two examples.  The process I suggested for USENIX allows
> your example 1 directly.  It also allows
> 
> 3.      If you believe X is a USENIX member with the name Carl Ellison, then
> you should believe that X owns public key ...

My previous message tried to argue that the process you suggested
does not allow for example 1 and that stating the meaning in this explicit
form makes this fact clearer.

Let me try again.  Suppose Alice want to communicate with Bob, and the
only thing Alice knows about Bob is that his e-mail address is
bob@foo.com.  Alice has an USENIX certificate that says "If you believe
entity x has e-mail address bob@foo.com, then you should believe that
entity x owns public key ..." If the process that generated this
certificate is the one you described, then Alice should NOT use the
certificate to infer that Bob owns the given key. If she does, then she
could be open to the following attack: 

Mallet enters the USENIX signing process and truthfully provides all the
information except for the e-mail address, which he says is bob@foo.com. 
When the secret S2 is e-mailed to bob@foo.com, Mallet intercepts it and
then forges a reply that appears to come from bob@foo.com.  Now Mallet has
a certificate that says "If you believe entity x has e-mail address
bob@foo.com, then you should believe that entity x owns public key ..." 
but the given public key is Mallet's, not Bob's. 

Wei Dai

References:

Re: USENIX PGP key signing service

From: Carl Ellison <cme@cybercash.com>

Prev by Date: Re: USENIX PGP key signing service
Next by Date: Re: USENIX PGP key signing service
Prev by thread: Re: USENIX PGP key signing service
Next by thread: Re: USENIX PGP key signing service
Index(es):
- Main
- Thread